Predicate Encryption for MultiDimensional Range Queries from Lattices

 Phoebe Bailey
 7 days ago
 Views:
Transcription
1 Predicate Encryption for MultiDimensional Range Queries from Lattices Romain Gay and Pierrick Méaux and Hoeteck Wee ENS, Paris, France Abstract. We construct a latticebased predicate encryption scheme for multidimensional range and multidimensional subset ueries. Our scheme is selectively secure and weakly attributehiding, and its security is based on the standard learning with errors (LWE) assumption. Multidimensional range and subset ueries capture many interesting applications pertaining to searching on encrypted data. To the best of our knowledge, these are the first latticebased predicate encryption schemes for functionalities beyond IBE and inner product. 1 Introduction Predicate encryption [BW07, SBC + 07, KSW08] is a new paradigm for publickey encryption that supports search ueries on encrypted data. In predicate encryption, ciphertexts are associated with descriptive values x in addition to a plaintext, secret keys are associated with a uery predicate f, and a secret key decrypts the ciphertext to recover the plaintext if and only if f (x) = 1. The security reuirement for predicate encryption enforces privacy of x and the plaintext even amidst multiple search ueries, namely an adversary holding secret keys for different uery predicates learns nothing about x and the plaintext if none of them is individually authorized to decrypt the ciphertext. Multidimensional range ueries. Following [BW07, SBC + 07], we focus on predicate encryption for multidimensional range ueries, as captured by the following examples: For network intrusion detection on logfiles, we would encrypt network flows labeled with a set of attributes from the network header, such as the source and destination addresses, port numbers, timestamp, and protocol numbers. We could then issue auditors with restricted secret keys that can only decrypt the network flows that fall within a particular range of IP addresses and some specific time period. For credit card fraud investigation, we would encrypt credit card transactions labeled with a set of attributes such as time, costs and zipcodes. We could then issue investigators with restricted secret keys that decrypt transactions over $1,000 which took place in the last month and originated from a particular range of zipcodes. For online dating, we would encrypt personal profiles labeled with dating preferences pertaining to age, height, weight and salary. Secret keys are associated with specific attributes and can only decrypt profiles for which the attributes match the dating preferences. Supported in part by ANR14CE (Project EnBiD). INRIA and ENS. Supported in part by ANR13JS (Project CLE). ENS and CNRS. Supported in part by ANR14CE (Project EnBiD), NSF Award CNS , ERC Project CryptoCloud (FP7/ Grant Agreement no ), the Alexander von Humboldt Foundation and a Google Faculty Research Award.
2 More generally, in multidimensional range ueries, we are given a point (z 1,..., z D ) [T ] D and interval ranges [x 1, y 1 ],...,[x D, y D ] [T ] and we want to know if (x 1 z 1 y 1 ) (x D z D y D ). We also consider more general multidimensional subset ueries where we are given subset S 1,...,S D [T ] and we want to know if (z 1 S 1 ) (z D S D ). Note that in the first two examples, the search ueries are associated with the keys, whereas in the third example, the search ueries are associated with the ciphertext. We will refer to encryption schemes for the former as keypolicy schemes, and schemes for the latter as ciphertextpolicy schemes. In all of these examples, it is important that unauthorized parties do not learn the contents of the ciphertexts, nor of the metadata associated with the ciphertexts, such as the network header or dating preferences. On the other hand, it is often okay to leak the metadata to authorized parties. We stress that privacy of the metadata is an additional security reuirement provided by predicate encryption but not attributebased encryption [GPSW06, GVW13]. Prior works. The first constructions of predicate encryption for multidimensional range ueries were given in the works of Boneh and Waters [BW07] and Shi, et. al [SBC + 07]; all of these constructions rely on bilinear groups and achieve parameters that are linear in the number of dimensions D. The latter work also presents a generic brute force construction based on any anonymous IBE, where the parameters grow exponentially in D. 1.1 Our contributions In this work, we construct a latticebased predicate encryption scheme for multidimensional range ueries, whose security is based on the standard learning with errors (LWE) assumption. Our scheme is selectively secure and weakly attributehiding, that is, we only guarantee privacy of the ciphertext attribute against collusions that are not authorized to decrypt the challenge ciphertext. The scheme is best suited for applications where the range T is very large but the number of dimensions D is a small constant, as is the case for the three applications outlined earlier and also the scenario considered in [SBC + 07]. In addition, we extend our techniues to multidimensional subset ueries, where we obtain improved efficiency over prior schemes [BW07]. We summarize our schemes in Table 1 and 2. Our approach. At a high level, our approach follows that of Shi et al. [SBC + 07], who showed how to boost an anonymous IBE scheme into a predicate encryption scheme for multidimensional range ueries. We show how to carry out a similar transformation over lattices, starting from the LWEbased anonymous IBE schemes in [CHKP10, ABB10a, AFV11]. We highlight the main novelties in this work: First, we present a more modular and conceptually simpler approach for handling multidimensional range ueries. We construct our scheme for the simpler ANDOREQ predicate (conjunction of disjunction of eualities), and present a combinatorial reduction from multidimensional range ueries to this predicate. The simpler ANDOREQ predicate is symmetric, which immediately yields both keypolicy and ciphertextpolicy schemes for multidimensional range ueries. We can only prove security for our latticebased ANDOREQ predicate encryption under an at most one promise, which necessitates a more delicate reduction from multidimensional range ueries to ANDOREQ where we decompose range ueries into disjoint subintervals. Indeed, the same technical issue arises in the previous pairingbased schemes. To handle the inner disjunction of euality like (X = a) (X = b) for the keypolicy ANDOREQ predicate where X is associated with the ciphertext and (a, b) with the key, our new ciphertext is 2
3 Table 1. Summary of existing predicate encryption schemes for multidimensional range ueries: given a point (z 1,..., z D ) [T ] D and interval ranges [x 1, y 1 ],...,[x D, y D ] [T ], we want to know if (x 1 z 1 y 1 ) (x D z D y D ). Here, D denotes the number of dimensions and T the number of points in each dimension. We omit the poly(n) multiplicative overhead, where n is the security parameter. Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attributehiding [BW07] (KP) O(D T ) O(D T ) O(D) O(D T ) O(D) fully [SBC + 07] (KP, CP) O(D logt ) O(D logt ) O(D logt ) O(D logt ) O((logT ) D ) weakly this paper (KP, CP) O(D logt ) O(D logt ) O(D logt ) O(D logt ) O((logT ) D ) weakly Table 2. Summary of existing predicate encryption schemes for multidimensional subset ueries: given a point (z 1,..., z D ) [T ] D and subsets S 1,...,S D [T ], we want to know if (z 1 S 1 ) (z D S D ). Here, D denotes the number of dimension and T the size of the sets. We omit the poly(n) multiplicative overhead, where n is the security parameter. (KP) stands for keypolicy and (CP) stands for ciphertextpolicy. Source Public key size Ciphertext size Secret key size Encryption time Decryption time Attributehiding this paper (KP) O(D) O(D) O(D T ) O(D) O(T D ) weakly this paper (CP) O(D T ) O(D T ) O(D) O(D T ) O(D) weakly an anonymous IBE ciphertext for the identity X, and the key comprises two IBE keys for a and b; decryption works by trying all possible IBE keys. Following [SBC + 07], we will pad the plaintext with zeroes, so that we know which of the decryptions corresponds to the correct plaintext. To handle the outer conjunction, we rely on secret sharing, as with prior latticebased fuzzy IBE [ABV + 12]. Correctness for the inner disjunction reuires more care than that in the bilinear groups. Roughly speaking, we need to show that decrypting an IBE ciphertext for identity a with a key for identity b a yields a randomlooking value. The straightforward argument that relies on IBE security yields computational correctness. To achieve statistical correctness in the latticebased setting, we rely on a simple but seemingly novel analysis of the output of latticebased trapdoor sampling algorithms (c.f. Lemma 13). The intuition for security for the inner disjunction is as follows: if X is different from a and b, then both X and the plaintext remain hidden via security of the underlying IBE. On the other hand, if X is eual to one of a,b, then the decryptor does learn the exact value of X, which means that we cannot hope to achieve strong attributehiding using these techniues. To establish the weak attributehiding for the general ANDOREQ, we rely on techniues from latticebased inner product encryption [AFV11]. To the best of our knowledge, this is the first latticebased predicate encryption scheme for functionalities beyond IBE and inner product [CHKP10, ABB10a, AFV11, Xag13], and we hope that it would inspire further research into latticebased predicate encryption. We defer a more detailed overview of our construction to Section 4. Organization. The rest of the paper is organized as follows. We recall the relevant background on lattices and the security model of predicate encryption in Section 2. We introduce the socalled ANDOREQ predicate, and show how to reduce multidimensional subset ueries and multidimensional range ueries to ANDOREQ in Section 3. We give our latticebased predicate encryption scheme for AND 3
4 OREQ in Section 4, and we show that it gives an efficient construction for multidimensional range ueries. Finally, we show in Section 5 how to improve the construction of Section 4 in order to obtain an efficient scheme for multidimensional subset ueries. 2 Preliminaries Notations. We denote by s R S the fact that s is picked uniformly at random from a finite set S or from a distribution. By PPT, we denote a probabilistic polynomialtime algorithm. Throughout this paper, we use 1 n as the security parameter. For every vector u Z n, we write u = (u 1,...,u n ), and for any matrix M Z n m, we write M i,j the (i, j ) entry of M. For any x R, we denote by x the largest integer less than or eual to x. For any z [0,1], we denote by z the closest integer to z. Randomness extraction. We use the following variant of the leftover hash lemma [ILL89, DORS08] from [ABB10a]: Lemma 1 ([ABB10a], Lemma 13). Let m > (n + 1)log + ω(logn), > 2 be a prime number, R R { 1,1} m l mod, where l = l(n) is polynomial in n. Let A R Z n m, B R Z n l ; For all vectors u Z m the distribution (A, AR, u R) is statistically close from the distribution (A, B, u R). LWE Assumption. [Reg05], The decisional Learning With Error problem (dlwe) was introduced by Regev Definition 1 (dlwe). For an integer = (n) 2, an adversary A and an error distribution χ = χ(n) over Z, we define the following advantage function: where Adv dlwe n,m,,χ A := Pr[A(A, z 0 ) = 1] Pr[A(A, z 1 ) = 1] A R Z n m, s R Z n, e R χ m, z 0 := s A + e and z 1 R Z m The dlwe n,m,,χ assumption asserts that for all PPT adversaries A, the advantage Adv dlwe n,m,,χ A negligible function in n. is a Throughout the paper, we denote by χ max < the bound on the noise distribution χ. 2.1 Lattice preliminaries Lattices. For any matrix A Z n m and any vector p Z n, we define the orthogonal ary lattice of A: Λ (A) := {u Zm : Au = 0 mod } and the shifted lattice: Λ p (A) := {u Z m : Au = p mod }. Similarly, for any matrix P Z n l, we define: Λ P (A) := {U Zm l : AU = P mod }. Matrix norms. For any vector x, we denote by x its l 2 norm. For any matrix R Z n l three following norms: we define the 4
5 1. R denotes the maximum of the l 2 norm over the columns of R. 2. R GS denotes the GramSchmidt norm of R (see [BGG + 14] for further details). 3. R 2 denotes the operator norm of R defined as R 2 = sup x =1 Rx. Note that for any matrix S Z l m, and any vector e Z n, we have R S R 2 S, and e F e F. Gaussian distributions. For any positive parameter σ R >0, let ρ σ (x) := exp( π x 2 /σ 2 ) be the Gaussian function on R n of center 0 and parameter σ. For any n N and any subset D of Z n, we define ρ σ (D) := ρ σ (x) the discrete integral of ρ σ over D, and D D,σ the discrete Gaussian distribution over D of parameter σ. That is, for all y D, we have D D,σ (y) := ρ σ(y) ρ σ (D). Lemma 2 ([BGG + 14], Lemma 2.5). Let n,m,l, > 0 be integers and σ > 0 be a Gaussian parameter. For all A Z n m, P Z n l, U R D Λ P (A),σ and R R { 1,1} m m, with overwhelming probability in m, x D U σ m, R 2 20 m Trapdoor generators. The following lemmas state properties of algorithms for generating short basis of lattices. Lemma 3 ([Ajt96, AP09, MP12]). Let n,m, > 0 be integers with prime and m = Θ(n log ). There is a PPT algorithm TrapGen defined as follows: TrapGen(1 n,1 m, ): Inputs: a security parameter n, an integer m such that m = Θ(n log ), and a prime modulus. Outputs: a matrix A Z n m and a basis T A Z m m for Λ (A) such that the distribution of A is negl(n) close to uniform and T A GS = O( n log ), with all but negligible probability in n. Lemma 4 ([MP12]). Let n,m, > 0 be integers with prime and m = Θ(n log ). There is a fullrank matrix G such that the lattice Λ (G) has a publicly known basis T G Z m m with T G GS 5. Lemma 5 ([GPV08], Lemmas 5.1 and 5.2). Let m 2n log. With all but negl(n) probability, A R Z n m columns of A generate Z n ). Assume A Z n m close: 2.2 Sampling algorithms is full rank (i.e. the subsetsums of the is fullrank and σ = ω( logn). Then, the following distributions are statistically {(u, Au) : u R D Z m,σ} and {(u, p) : p R Z n, u R D Λ p (A),σ } Given a matrix F := [A B] and a matrix P, we would like to sample random lownorm matrices U such that FU = P. Specifically, we want to sample U from the distribution D Λ P (F),σ. The following lemma tells us we could do so given either (1) a lownorm basis T A of Λ (A) using RightSample, or (2) a lownorm matrix R and an invertible matrix H such that B = HG+AR using LeftSample. We will use (1) in the actual scheme, and (2) in the security proof. 5
6 Lemma 6 ( [GPV08, ABB10b, CHKP10, MP12] and [BGG + 14], Lemma 2.8). There exist PPT algorithms RightSample and LeftSample such that: RightSample(A, T A, B, P,σ): Inputs: fullrank matrices A, B Z n m, a basis T A of Λ (A), a matrix P Zn (l+n) and a Gaussian parameter σ = O( T A GS ). Output: a matrix U Z 2m (l+n) whose distribution is statistically close to D Λ P [A B],σ ω( logm). Remark 1. We can sample a short matrix U = U 1 Z 2m (l+k) in the same way that [ABB10b]. That is, we first sample the bottom part U 2 Z m (l+k) U 2 from D Z m (l+k) and then, we sample the top part,σ ω( logn) U 1 Z m (l+k) from a distribution statistically close to D Λ P BU 2 (A),σ ω( logm), using T A. LeftSample(A, R, G, H, P,σ) : Inputs: a fullrank matrix A Z n m Lemma 4, an invertible matrix H Z n n, a matrix R Z m m, a fullrank matrix G Z n m as defined in, a matrix P Z n (l+n) and a Gaussian parameter σ = O( R 2 ). Output: a matrix U Z 2m (l+n) whose distribution is statistically close to D Λ P [A HG+AR],σ ω( logm). 2.3 Predicate Encryption A predicate encryption scheme for a predicate P(, ) consists of four algorithms (Setup,Enc,KeyGen,Dec): Setup(1 n,x,y,m) (mpk,msk). The setup algorithm gets as input the security parameter n, the attribute universe X, the predicate universe Y, and the message space M. Enc(mpk, x,m) ct. The encryption algorithm gets as input mpk, an attribute x X and a message m M. It outputs a ciphertext ct. KeyGen(mpk,msk, y) sk y. The key generation algorithm gets as input msk and a value y Y. It outputs a secret key sk y. Note that y is public given sk y. Dec(mpk,sk y,ct) m. The decryption algorithm gets as input sk y and a ciphertext ct. It outputs a message m. Correctness. We reuire that for all (x, y) X Y such that P(x, y) = 1 and all m M, Pr[ct Enc(mpk, x,m);dec(sk y,ct) = m)] = 1 negl(n), where the probability is taken over (mpk,msk) Setup(1 n,x,y,m) and the coins of Enc. 6
7 Security Model. For a stateful adversary A, we define the advantage function (x0, x 1 ) A(1λ ); β R {0,1}; AdvA PE (n) := Pr β = β (mpk,msk) Setup(1 n,x,y,m); : 1 (m 0,m 1 ) A KeyGen(msk, ) (mpk); 2 ct Enc(mpk, x β,m β ); β A KeyGen(msk, ) (ct) with the restriction that all ueries y that A makes to KeyGen(msk, ) satisfies P(x0, y) = P(x 1, y) = 0 (that is, sk y does not decrypt ct). A predicate encryption scheme is selectively secure and weakly attributehiding 1 if for all PPT adversaries A, the advantage AdvA PE (n) is a negligible function in n. 3 Reductions Amongst Predicates 3.1 ANDOREQ predicate In this section we state our general predicate, and exhibit the reductions from multidimensional subset ueries and multidimensional range ueries to the latter. This general predicate is symmetric (c.f. Lemma 11), which will allow us to obtain both ciphertextpolicy and keypolicy predicate encryption schemes in Section 4. Disjunction of euality ueries. Here, P OREQ : Z l Zl {0,1}, and P OREQ(x, y) = 1 iff l ( ) xi = y i. We generalize the previous predicate to a multidimensional setting as follows P ANDOREQ Z D l {0,1}, and: D l ( ) P ANDOREQ (X, Y) = 1 iff Xi,j = Y i,j j =1 : Z D l We impose a socalled at most one promise on the input domains of the predicate for our predicate encryption scheme in Section 4. This technical property is reuired for our latticebased instantiations (see Remark 3 in Section 4) and also implicitly used in prior pairingbased ones. We define the predicate P AT MOST ONE : Z l Zl {0,1} and its multidimensional variant P AND AT MOST ONE : Z D l P AT MOST ONE (x, y) = 1 iff there exists at most one j [l], x j = y j Z D l {0,1} by: P AND AT MOST ONE (X, Y) = 1 iff i [D], there exists at most one j [l] s.t. X i,j = Y i,j We reuire that the input domains X,Y Z D l for P ANDOREQ satisfy the at most one promise, namely for all X X, Y Y, P AND AT MOST ONE (X, Y) = 1 1 In an adaptively secure scheme, the adversary specifies (x 0, x 1 ) after seeing mpk and making key ueries. In a fully attributehiding scheme, the adversary is allowed key ueries y for which P(x 0, y) = P(x 1, y) = 1, in which case the challenge messages m 0,m 1 must be eual. 7
8 Indeed, the promise is satisfied by all of our reductions in this section. 3.2 Multidimensional subset ueries Predicate (ciphertextpolicy). Here, P CPSUBSET : {0,1} D T [T ] D {0,1} and D P CPSUBSET (W, z) = 1 iff W i,zi = 1 For each dimension i [D], the i th row of W is the characteristic vector of a subset of [T ]. Reducing P CPSUBSET to P ANDOREQ. We map (W, z) {0,1} D T [T ] D to ( W, Z) Z D T Z D T where W is the matrix W where zeros are replaced by 1, that is, for all (i, j ) [D] [T ], W i,j = 1 if W i,j = 1, and W i,j = 1 otherwise. (We need this modification in order to satisfy the at most one promise.) Z Z D T denotes the matrix whose i th row is e zi Z 1 T, where (e 1,...,e T ) denotes the standard basis of Z 1 T. For instance, we map ((0, 1, 1), 2) to (( 1, 1, 1),(0, 1, 0)). We can check that the following lemma holds: Lemma 7 (P CPSUBSET to P ANDOREQ ). Let (W, z) {0,1} D T [T ] D, and ( W, Z) Z D T above. Z D T defined as P CPSUBSET (W, z) = 1 iff P ANDOREQ ( W, Z) = 1 P AND AT MOST ONE ( W, Z) = Multidimensional range ueries Predicate (keypolicy). Here, P KPRANGE : [T ] D I(T ) D {0,1} and P KPRANGE (z, I) = 1 iff I(T ) denotes the set of all intervals of [T ]. D (z j I j ), where We show how to reduce P KPRANGE to P ANDOREQ, which involves rewriting points and intervals as vectors. j =1 Writing points and intervals as vectors. For simplicity, we write t for logt. In order to realize the at most one promise, we need to decompose intervals into disjoint subintervals where each subinterval contains all the points with some fixed prefix, e.g. [010,110] can be written as [010,011] [100,101] [110,110]. Indeed, any interval in [T ] can be partitioned into at most 2t disjoint subintervals with this property [DVOS00, Lemma 10.10]. 2 In addition, we can ensure that there are exactly 2t subintervals by padding with empty intervals ε (using empty intervals ensures that no point ever lies in more than one of these 2t subintervals). Lemma 8 (interval to vector [DVOS00]). There is an efficient PPT algorithm IntVec that on input I [T ] outputs (w 1, w 2,..., w 2t ) ( {0,1} {ε} ) 2t, where t := logt, with the following properties: for each i = 1,..., t, we have w 2i 1, w 2i {0,1} i {ε}; 2 See for a visualization. 8
9 for all z [T ], we have z I iff one of w 1,..., w 2t is a prefix of z; for all z [T ], at most one of w 1,..., w 2t is a prefix of z. Here, ε is not a prefix of any string. For instance, IntVec([010, 110]) = (ε, ε, 01, 10, 110, ε). Remark 2 (Hashing bit strings into Z ). We map {0,1} t {ε} where t := logt into Z in the straightforward way, which reuires that T + 1. We can handle also larger T by using matrices over Z à la [ABB10a, Section 5]. Now we give the description of algorithm PtVec, used to map points to vectors. PtVec: On input z [T ], output (v 1,..., v 2t ) Z 2t, where v 2i 1 = v 2i := i bit prefix of z, i = 1,..., t. For instance, PtVec(011) = (0, 0, 01, 01, 011, 011). Lemma 9. For any point z [T ] and any interval I [T ], z I iff P OREQ (PtVec(z),IntVec(I )) = 1 P AT MOST ONE (PtVec(z),IntVec(I )) = 1. Lemma 9 follows readily from Lemma 8. Reducing P KPRANGE to P ANDOREQ. We map (z, I) to (PtVec D (z),intvec D (I)) where PtVec D (z) Z D 2t denotes the matrix whose i th row is PtVec(z i ) IntVec D (I) Z D 2t denotes the matrix whose j th row is IntVec(I j ) Lemma 10 (P KPRANGE to P ANDOREQ ). For all z [T ] D and I (I[T ]) D, P KPRANGE (z,i) = 1 iff P ANDOREQ (PtVec D (z),intvec D (I)) = 1 P AND AT MOST ONE (PtVec D (z),intvec D (I)) = 1 Lemma 10 follows readily from Lemma 9, applied to each dimension i [D]. Predicate (ciphertextpolicy). Here, P CPRANGE : I(T ) D [T ] D {0,1} and P CPRANGE (I, z) = 1 iff D ( ) z j I j j =1 The predicates P OREQ and P AT MOST ONE are symmetric: Lemma 11 (Symmetry of P OREQ and P AT MOST ONE ). For all x, y Z l, we have: P OREQ (x, y) = 1 P OREQ (y, x) = 1 P AT MOST ONE (x, y) = 1 P AT MOST ONE (y, x) = 1 Thanks to this symmetry, we can reduce P CPRANGE to P ANDOREQ in the same way we did for P KPRANGE. 9
10 Reducing P CPRANGE to P ANDOREQ. Following the previous reduction, we map (I, z) to (IntVec D (I),PtVec D (z)). Lemma 12 (P CPRANGE to P ANDOREQ ). For all I (I[T ]) D and z [T ] D, P CPRANGE (I, z) = 1 iff P ANDOREQ (IntVec D (I),PtVec D (z)) = 1 P AND AT MOST ONE (IntVec D (I),PtVec D (z)) = 1. Lemma 12 follows from Lemma 10 and Lemma Predicate Encryption for ANDOREQ Here we describe our predicate encryption scheme for the ANDOREQ predicate defined in Section 3.1, selectively secure and latticebased. Recall that P ANDOREQ : Z D l Z D l {0,1}, and P ANDOREQ (X, Y) = 1 iff D j =1 l ( ) Xi,j = Y i,j The security of our scheme relies on the fact the ciphertext attributes and secret key predicates come from a restricted domain X,Y Z D l satisfying the at most one promise, namely for all X X, Y Y, P AND AT MOST ONE (X, Y) = 1 Indeed, the promise is satisfied by all of our reductions in Section 3.1. Overview. We begin with the special case D = 1. Given an attribute matrix x Z 1 l, the ciphertext is an LWE sample corresponding to a matrix of the form [ A A1 + x 1 G A l + x l G ] where A, the A i s and G are publicly known matrices, and the message is masked using an LWE sample corresponding to a public matrix P. The secret key corresponding to y Z 1 l is a collection of l short matrices U 1,...,U l such that for all j [l], [ A Aj + y j G ] U j = P To understand how decryption works, let us first suppose that there exists a uniue j such that x j = y j and that the decryptor knows j ; then, the decryptor can use U j to recover the plaintext. However, since the decryptor does not know x, he will try to decrypt the ciphertext using each of U 1,...,U l. We will also need to pad the plaintext with redundant zeros so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challenge x, we will need to simulate secret keys for all y such that x j y j for all j [l]. We can then simulate U j using an allbutone simulation (while puncturing at x ) exactly as in prior IBE schemes in [ABB10a]. In order to establish weak attributehiding, j we adopt a similar strategy to that for inner product encryption in [AFV11]: roughly speaking, we will show that the challenge ciphertext is computational indistinguishable from an encryption of a random plaintext message under a random attribute x. 10
11 Higher dimensions. Given an attribute matrix X Z D l, the ciphertext is an LWE sample corresponding to a matrix of the form [ A A1,1 + X 1,1 G A 1,l + X 1,l G A 2,1 + X 2,1 G A D,l + X D,l G ] The secret key corresponding to Y Z D l is a collection of D l short matrices U 1,1,...,U D,l such that for i [D], j [l]: [ A Ai,j + Y i,j G ] U i,j = P i where P 1,...,P D is an additive secretsharing of P. For correctness, observe that if there exist indices (j 1,..., j D ) [l] D such that for all i [D] X i,ji = Y i,ji then the decryptor can use U 1,j1,, U D,jD to recover the plaintext. As with the case D = 1, the decryptor will need to enumerate over all (j 1,..., j D ) [l] D. To simulate secret keys for Y with respect to some selective challenge X, we first fix i such that X i,j Y i,j for all j [l]. Without loss of generality, suppose i = 1, that is, for all j [l], X 1,j Y 1,j. Using the "at most one" promise on X and Y, we know that for all i 2, we have X i,j = Y i,j for at most one j [l], which we call j i. That is, there exists a vector of indices (j 2,..., j D ) [l] D 1 such that for all i 2 and all j j i, we have X i,j Y i,j. We then proceed as follows: Sample random short matrices U 2,j2,...,U D,jD, which in turn determines the shares P 2,...,P D. Use an allbutone simulation strategy to sample the short matrices U i,j, for all i 2, and j j i. Define P 1 := P D i=2 P i and use an allbutone simulation strategy to sample the remaining short matrices in the secret key. Note that the construction relies crucially on the at most one promise on X and Y. In fact, the scheme given in Section 4.1 is insecure if this promise is not fulfilled, that is, there is a PPT adversary that wins the game defined in Section 2.3 with non negligible advantage. The attack goes as follows. Suppose that the adversary holds a secret key for Y Z D l such that P ANDOREQ (X, Y) = 0 and P AND AT MOST ONE (X, Y) = 0. Since P AND AT MOST ONE (X, Y) = 0, for some dimension i [D], there are at least two indices j 1, j 2 [l] such that X i,j1 = Y i,j1 and X i,j2 = Y i,j2, and therefore, both short matrices U i,j1 and U i,j2 allow to recover the same LWE sample corresponding to the matrix P i, up to some error. When X i,j2 Y i,j2 however, U i,j2 with the corresponding (i, j 2 ) component of the ciphertext only gives a uniformly random vector. Therefore, the fact that U i,j1 and U i,j2 both decrypts to (almost) the same LWE sample tells the adversary that X i,j1 = Y i,j1 and X i,j2 = Y i,j2 with high probability, contradicting the fact that the scheme is weakly attribute hiding. This induces an attack whose running time is polynomial in the security parameter. 4.1 Construction Let n N be the security parameter. Let the attribute space X and predicate space Y be subsets of Z D l satisfying the at most one promise. Let = (n), m = m(n,l,d) and χ max = χ max (n,,l,d) be positive integers. Let σ = σ(n,,l,d) be a Gaussian parameter. Setup(1 n,x,y,m): On inputs the security parameter n, X Z D l, Y Z D l and M := {0,1} k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). For all i [D] and all j [l], pick A i,j R Z n m. 11
12 Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output mpk := (P, A, A 1,1,...,A D,l, G, T G ) and msk := T A Enc(mpk, X, b): On input mpk, X X and b {0,1} k, do: Pick s R Z n, e R χ m, and compute c 0 := s A + e. For all i [D] and all j [l], do: Pick R i,j { 1,1} m m. Compute c i,j := s ( A i,j + X i,j G ) + e R i,j. Set b := (b,0,...,0) {0,1} k+n, pick e R χ k+n, and compute c f := s P + e + b /2. Output ct := (c 0, c 1,1,...,c D,l, c f ) KeyGen(mpk, msk, Y): On input the public parameters mpk, the master secret key msk, and a predicate matrix Y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D] and all j [l] : Sample a short matrix U i,j Z 2m (k+n) such that [ A A i,j + Y i,j G ] U i,j = P i using RightSample(A, T A, A i,j + Y i,j G, P i,σ) with σ = O( n log ). output the secret key sk Y = (U 1,1,...,U D,l ) Dec(mpk,sk Y,ct): On input the public parameters mpk, a secret key sk Y = (U 1,1,...,U D,l ) for a predicate matrix Y, and a ciphertext ct = (c 0, c 1,1,...,c D,l, c f ), do: For all (j 1,..., j D ) [l] D, compute d := c f D [ ] c0 c i,ji Ui,ji mod. If d /2 {0,1} k 0 n, then output the first k bits of d /2. For any z [0,1], we denote by z the closest integer to z. Otherwise, abort. Running time. The running times are: O(D l poly(n)) for encryption; O(D l poly(n)) for key generation; O(l D poly(n)) for decryption. The above numbers take into account matrix multiplications and additions. When done naively, the above Dec algorithm takes O(D l D poly(n)) time. However, if one saves the intermediate results [ c0 c i,j ] Ui,j for all (i, j ) [D] [l], one can do it in O(l D poly(n)) time. 4.2 Correctness Lemma 13. Suppose that χ max is such that χ max /4 (1 + D ( m) s 2m ) 1 where s = σ ω( logn). Let (X, Y) X Y such that P ANDOREQ (X, Y) = 1. Let sk Y = (U 1,1,...,U D,l ) KeyGen(mpk, msk, Y) 12
13 and ct = (c 0,...,c f ) Enc(mpk, X, b) With overwhelming probability in n, Dec does not abort and outputs b. Proof. Recall that Dec computes d for all (j 1,..., j D ) [ l ] D. We consider two cases: Case 1: i, X i,ji = Y i,ji. We show that with overwhelming probability in n, For all i [D], This implies [ A Ai,ji + X i,ji G ] U i,ji = P i thus d /2 D [ A Ai,ji + X i,ji G ] U i,ji = P D ] D [c 0 c i,ji Ui,ji s [ A A i,ji + X i,ji G ] U i,ji = s P c f b /2 = (b,0,...,0) := b. and thus d b /2. To obtain d /2 = b, it suffices to bound the error term and show that e D (e e R i,ji )U i,ji < /4. We know that e χ max. In addition, for all i [D], (e e R i,ji )U i,ji (e e R i,ji ) U i,ji ( e + ) Ri 2,ji e U i,ji By Lemma 6, Ui,ji σ ω( logn) 2m and by Lemma 2, Ri,ji 2 20 m. Combining these bounds, we obtain e D (e e R i,ji )U i,ji χ max + D χ max ( m) σ ω( logm) 2m We will set the parameters in Section 4.4 so that the uantity on the right is bounded by /4. Case 2: i, X i,j i Y i,j i. We show that the computed value d has a distribution which is statistically close to uniform, and therefore the probability that the last n bits of are all 0 is negligible in n. By an analogous calculation to that in Case 1, we have: d /2 D [ A Ai,ji + X i,ji G ] D U i,ji = P + [0 (X i,ji Y i,ji )G ] U i,ji We know that there exists some i [D] such that X i,j i Y i,j i, and we focus on [ 0 s (X i,j i Y i,j i )G ] U i,j i By Remark 1, we know that the bottom part U 2 Z m (k+n) of U i,j i is sampled from D Z m,σ ω( logn). Therefore, since X i,j i Y i,j i 0 and G is a fullrank matrix, by Lemma 5, we know that the distribution of GU 2 is indistinguishable from uniform over Z n (k+n) and then, the entire sum is indistinguishable 13
14 from uniform over Z k+n. Therefore, d = c f D [ ] c0 c i,ji Ui,ji mod is indistinguishable from uniform over Z k+n, and the probability that the last n bits of d /2 are all 0 is negligible in n. 4.3 Proof of Security Lemma 14. For any adversary A on the predicate encryption scheme, there exists an adversary B on the LWE assumption whose running time is roughly the same as that of A and such that AdvA PE (n) AdvdLWE n,m+n+k,,χ + negl(n) B The proof follows via a series of games, analogous to those in [AFV11]. We first define several auxiliary algorithms for generating the simulated ciphertexts and secret keys, upon which we can describe the games. Auxiliary algorithms. We introduce the following auxiliary algorithms: Setup(1 n,x,y,m, A, P, X ): on a security parameter n, an attribute space X Z D l, a predicate space Y Z D l satisfying the at most one promise, a message space M := {0,1} k, a matrix A Z n m, a matrix P Z n (k+n) and the challenge attribute matrix X, do: Compute (G, T G ) as defined in Lemma 4. For all i [D] and all j [l], pick R i,j { 1,1} m m and set A i,j := AR i,j X i,j G. Output mpk := (P, A, A 1,1,...,A D,l, G, T G ) and msk := (X, R 1,1,, R D,l, T A ) Ẽnc(mpk, b; msk, d 0, d f ): On input the public parameters mpk, a message b {0,1} k, the master secret key msk, and the extra inputs d 0 Z m, d f Z k+n do: Set c 0 := d 0, For all i [D] and all j [l], compute c i,j := d 0 R i,j, Compute b := (b,0,...,0) {0,1} k+n, and set c f := d f + b /2. Output (c 0,...,c f ). KeyGen(mpk, msk, Y, X ): On input the public parameters mpk, the master secret key msk, a predicate matrix Y and the challenge attribute matrix X do: If P(X, Y) = 1, abort. Otherwise, since P(X, Y) = 0, there must exist a i [D] such that for all j [l], X i,j Y i,j. By the at most one property, for all i [D], there is at most one j i [l] such that X i,j i = Y i,ji. We proceed in three steps : 1. First, for all i [D] \ {i } we sample: U i,ji R D Z 2m (k+n),σ ω( logn) with σ = O( n log ) and set ] P i := [A AR i,ji U i,ji Z n (k+n) 14
15 2. Next, we set P i to be: P i := P P i i i 3. We sample the remaining matrices as follows: U i,j LeftSample(A, R i,j, G,Y i,j X i,j, P i,σ). This is possible because Y i,j X i,j 0, whenever i = i or whenever j j i. Output (U 1,1,...,U D,l ). Game seuence. We present a series of games. We write Adv xxx to denote the advantage of A in Game xxx. Game 0 : is the real security game, as defined in Section 2.3. Game 1 : same as Game 0, except that the challenger runs Setup(1 n,x,y,m; A, P, X β ) and Ẽnc(mpk, b β; msk, s A + e, s P + e ) with (A, T A ) R TrapGen(1 n,1 m ), P R Z n (k+n), s R Z n, e R χ m, and e R χ k+n. Game 2 : same as Game 1 except that the challenger runs KeyGen. Game 3 : same as Game 2 except that the challenger runs Ẽnc(mpk, b β ; msk, d 0, d f ) where d 0 R Z m and d f R Z k+n. Game 4 : is the same as Game 3 except that the challenger runs KeyGen. We show in the following lemmas that each pair of games (Game i,game i+1 ) are either statistically indistinguishable or computationally indistinguishable under the decisionlwe assumption. Finally, we show in Lemma 19 that no information is leaked about β is the last game Game 4. Lemma 15 (Game 0 to Game 1 ). For all m > (n + 1)log + ω(logn), we have Adv 0 Adv 1 = negl(n). Proof. From Game 0 to Game 1, we switch from Setup,Enc to Setup,Ẽnc. Note that the only difference between Game 0 and Game 1 is that for all i [D] and j [l], the matrix A i,j is set to be A i,j R Z n m in Game 0, whereas it is set to be A i,j := AR i,j X i,j G in Game 1, where R i,j R { 1,1} m m. The matrix A i,j only appears in the mpk and in the component c i,j = s (A i,j + X i,j G) + e R i,j of the ciphertext. Therefore it suffices to show that the distribution of (A, e, A i,j, e R i,j ) in Game 0 and Game 1 are statistically close, that is, (A, e, A i,j, e R i,j ) s (A, e, AR i,j X i,j G, e R i,j ) where A i,j R Z n m, R i,j R { 1,1} m m, and e R χ m. Observe that (A, e, A i,j, e R i,j ) (A, e, A i,j X i,j G, e R i,j ) since A i,j R Z n m s (A, e, AR i,j X i,j G, e R i,j ) by Lemma 1 Lemma 16 (Game 1 to Game 2 ). Adv 1 Adv 2 = negl(n). 15
16 Proof. From Game 1 to Game 2, we switch from KeyGen to KeyGen. Therefore, it suffices to show that for any predicate Y such that P(X, Y) = 0, the following distributions are statistically close: KeyGen(mpk,msk, Y) s KeyGen(mpk, msk, Y, X ) We write: F i,j := ( A A i,j + Y i,j G ) ) = (A AR i,j + (Y i,j X i,j )G Z n 2m. Since P(X, Y) = 0, we know that there must exist a i [D] such that Y i,j X for all j [l]. Because i,j P AND AT MOST ONE (X, Y) = 1, we know that for all i [D], there is at most one j i [l] such that Y i,i j = X. i,i j We proceed in three steps: 1. First, we argue that the joint distribution {P i, U i,ji : i [D],i i } is statistically close in KeyGen and in KeyGen. This follows readily from Lemma Next, we argue that the joint distribution {P i : i [D]} is statistically close in KeyGen and in KeyGen. This follows readily from secret sharing. 3. Finally, fix P 1,...,P D. We argue that the distribution of the remaining matrices is statistically close in KeyGen and in KeyGen. This follows from Lemma 6, which tells us that the output U i,j of both RightSample in KeyGen and LeftSample in KeyGen, are statistically close to D Λ P i (F i,j ),σ ω( logn). We can sample these U i,j in KeyGen applying LeftSample because Y i,j X i,j 0 whenever i = i or whenever j j i. Remark 3. Note that the "at most one" promise is crucial here, because when Y i,j X = 0, we cannot ) i,j use LeftSample to sample a short matrix U i,j such that (A AR i,j + (Y i,j X i,j )G U i,j = P i. If there exists "at most one" j i [l] such that Y i,ji X = 0, we can sample a short matrix U i,j i i,ji from some discrete Gaussian distribution, and set P i to be P i := ( A AR i,j + 0 G ) U i,j. Lemma 5 ensures that both U i,j and P i are correctly distributed. However, if there exist at least 2 indices j i and j i [l] such that Y i,j i X = i,j i Y i,j X = 0, then there is more than one matrix that we cannot sample using LeftSample, and the i i,j i previous techniue does not work anymore. Lemma 17 (Game 2 to Game 3 ). There exists an adversary B whose running time is roughly the same as that of A and such that Adv 2 Adv 3 Adv dlwe n,m+k+n,,χ B Note that only difference between Game 2 and Game 3 is that we switch the distribution of the inputs (d 0, d D+1 ) to Ẽnc from LWE instances to random ones. Proof. On input an LWE challenge where A R Z n m and P R Z n (k+n) A and proceeds as follows: runs Setup(1 n,x,y,m; A, P, X β ) as in Game 2; (A, P, d 0, d D+1 ) answers A s private key ueries by using KeyGen as in Game 2 ; and (d 0, d D+1 ) is either (s A + e, s P + e ) or random, B simulates runs Ẽnc(mpk, b β; msk, d 0, d D+1 ) to generate the challenge ciphertext; Finally, A guesses if it is interacting with a Game 2 or a Game 3 challenger. B outputs A s guess as the answer to the LWE challenge it is trying to solve. 16
17 When the LWE challenge is pseudorandom as in Definition 1, the adversary s view is as in Game 2. When the LWE challenge is random the adversary s view is as in Game 3. Therefore, B s advantage in solving LWE is the same as A s advantage in distinguishing Game 2 and Game 3. Lemma 18 (Game 3 to Game 4 ). Adv 3 Adv 4 = negl(n) Proof. The differences between Game 3 and Game 4 are: In Game 3, A R Z n m, and T A :=, whereas in Game 4, (A, T A ) R TrapGen(1 n,1 m ). In Game 3, the challenger answers the adversary s secret key using the KeyGen algorithm, whereas he answers using the KeyGen algorithm in Game 4. The proof is the same as the one of Lemma 16, by symmetry of the games. Lemma 19 (Game 4 ). We have Adv 4 1/2 = negl(n) Proof. In Game 4, both the challenge ciphertext and the secret keys are independent of β. Moreover, by Lemma 1, we know that for all i [D], for all j [l] the two following distributions are statistically close (A, A i,j ) s (A, AR i,j X i,j G) where A i,j R Z n m, R i,j R { 1,1} m m, and e R χ m. Thus, the mpk does not leak any information on X β. Therefore, we get Adv 4 1/2 = negl(n). 4.4 Parameter selection By Lemma 1, we need m > (n + 1)log + ω(logn) By Lemma 3, and Lemma 4, we reuire m = Θ(n log ) By Lemma 5, we need m 2n log By Lemma 6, we need σ = O( T A GS ) and σ = O( T G GS (1 + R 2 )) where T A GS = O( n log ) and R 2 20 m with overwhelming probability in n, according to Lemma 3 and Lemma 5, respectively. For correctness of decryption, we reuire χ max /4 (1 + D ( m) s 2m ) 1, where s = σ ω( logn). Conseuently we take m = Θ(n log ), σ = O ( n log ) and χ max = O ( (D (n log ) 3/2 s) 1) where s = σ ω( logn). 4.5 Putting everything together for multidimensional range ueries When D denotes the number of dimensions and T the number of points in each, combining the preceding scheme with the reduction in Section 3.3, we get a scheme for P CPRANGE and P KPRANGE with ciphertexts and secret keys of sizes O(D logt ) and running times O(D logt poly(n)) for encryption and key generation, O((logT ) D poly(n)) for decryption. 17
18 5 Shorter Ciphertexts and Secret Keys for MultiDimensional Subset Queries The predicate encryption scheme for P ANDOREQ exhibited in Section 4 together with the reductions presented in Section 3 lead to efficient predicate encryption schemes for multidimensional subset ueries. Indeed, when D denotes the dimension and T denotes the size of the sets, we obtain a predicate encryption scheme for P KPSUBSET and P CPSUBSET with ciphertexts and secret keys of size O(D T ). However, in this section we show how we can improve the size of the secret keys and ciphertexts in order to obtain: ciphertexts of size O(D) for P KPSUBSET secret keys of size O(D) for P CPSUBSET 5.1 Multidimensional subset ueries, ciphertext policy We can obtain a predicate encryption scheme for P CPSUBSET using the reduction to P ANDOREQ defined in section 3.2, with secret keys of size O(D T ). We reduce the size of the secret keys size down to O(D) using the fact that in each dimension, only one of the T matrices in the secret key is needed to decrypt. On the one hand, for each dimension i, the reduction maps a point z [T ] into the vector e z. Therefore, for all j z the KeyGen algorithm generates a short matrix U i,j which is a preimage of some target for the matrix [ A A i,j + 0 G ]. On the other hand, a characteristic vector w {0,1} T, is mapped into a 1,1 vector. Thus, for all j, the (i, j ) th component of the ciphertext is an LWE sample corresponding to the matrix [ A i,j + G ], { 1,1}. Conseuently, the matrices U i,j for j z do not yield any useful information to decrypt the ciphertext. Therefore, we can remove them, and still satisfies correctness. Moreover, it is clear that removing parts of the secret key will not affect the security. Removing these matrices, we obtain a scheme whose secret keys have size O(D), and whose decryption algorithm runs in time O(D poly(n)) (instead of O(T D poly(n))). Construction. Let n N be the security parameter and T, D positive integers. Let = (n,t,d), m = m(n,t,d) and χ max = χ max (n,t,d) be positive integers, and σ = σ(n,t,d) be a Gaussian parameter. Setup(1 n,x,y,m): on a security parameter n, an attribute space X := {0,1} D T, a predicate space Y := Z D, and a message space M := {0,1}k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). Pick A 1,1,...,A D,T R Z n m. Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output: mpk := (P, A, A 1,1,...,A D,T, G, T G ) and msk := T A Enc(mpk, X, b): On input the public parameters mpk, an predicate matrix X X, and a message b {0,1} k, do: Pick s R Z n, e R χ m, and compute c 0 := s A + e. for all i [D] and all j [T ], do: Pick R i,j { 1,1} n m. 18
19 Compute c i,j := s ( A i,j + X i,j G ) + e R i,j. Set b := (b,0,...,0) {0,1} k+n, pick an e R χ k+n, and compute c f := s P + e + b /2. Output: ct := (c 0, c 1,1,...,c D,T, c f ) KeyGen(mpk, msk, y): On input the public parameters mpk, the master secret key msk, and an attribute vector y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D]: Sample a short matrix U i Z 2m (k+n) such that [ A A i,yi + G ] U i = P i using RightSample(A, T A, A i,yi + G, P i,σ) with σ = O( n log ). Output the secret key sk Y = (U 1,...,U D ). Dec(mpk,sk y,ct): On input the public parameters mpk, a secret key sk y = (U 1,...,U D ) for an attribute vector y, and a ciphertext ct = (c 0, c 1,1,...,c D,T, c f ), do: Compute d := c f ] D [ c0 c i,yi Ui mod. Output the first k bits of d /2. For any z [0,1], we denote by z the closest integer of z. Correctness and security. Correctness and security proofs follow readily from those of P ANDOREQ in Section Multidimensional subset ueries, keypolicy The following scheme is similar (however simpler) to the one presented in Section 4 for P ANDOREQ. Overview. We begin with the special case D = 1. Given an attribute vector x [T ] D, the ciphertext is an LWE sample corresponding to the matrix [ A A 1 + xg ] and the message is masked using an LWE sample corresponding to a public matrix P. The secret key corresponding to Y {0,1} T is a collection of T short matrices U 1,...,U T such that: [ A A1 + j G ] U j = P if Y j = 1 U j = if Y j = 0 For correctness, observe that if Y x = 1, then the decryptor can use U x to recover the plaintext. However, since the decryptor does not know x, he will try to decrypt the ciphertext using each of U 1,...,U T. We will need to pad the plaintext with redundant zeroes so that the decryptor can identify the correct plaintext. To establish security with respect to some selective challenge x, we will need to simulate the secret keys for all Y such that Y x = 0. Observe that for all j = 1,...,T, Y j = 1 = j x We can then simulate U j using an allbutone simulation (while puncturing at x ) exactly as in prior IBE schemes in [ABB10a]. In order to establish weak attributehiding, we adopt a similar strategy to that for inner product encryption in [AFV11]. 19
20 Higher dimensions. Given an attribute vector x [T ] D, the ciphertext is an LWE sample corresponding to the matrix [ A A 1 + x 1 G A D + x D G ]. The secret key corresponding to Y {0,1} D T is a collection of D T short matrices U 1,1,...,U D,T such that for j = 1,...,T,i = 1,...,D: where P 1,...,P D is an additive secretsharing of P. [ A Ai + j G ] U i,j = P i if Y i,j = 1 U i,j = if Y i,j = 0 For correctness, observe that if Y 1,x1 = Y 2,x2 =... = Y D,xD = 1, then the decryptor can use U 1,x1,, U D,xD to recover the plaintext. As with the case D = 1, the decryptor will need to enumerate over all x [T ] D. To simulate secret keys for Y with respect to some selective challenge x, first we fix i such that Y k,x = 0. i Without loss of generality, suppose i = 1, that is, Y 1,x 1 = 0. We then proceed as follows: Sample random short matrices U 2,x 2,...,U D,x, which in turn determines the shares P 2,...,P D D. Define P 1 := P D i=2 P i and use an allbutone simulation strategy to sample the remaining short matrices in the secret key. Construction. Let n N be the security parameter and T, D be positive integers. Let = (n), m = m(n,t,d) and χ max = χ max (n,,t,d) be positive integers, and σ = σ(n,,t,d) be a Gaussian parameter. Setup(1 n,x,y,m): on n, X := Z D, Y := {0,1}D T and M := {0,1} k, do: Pick (A, T A ) TrapGen(1 n,1 m, ). Pick A 1,...,A D R Z n m. Pick P R Z n (k+n). Compute (G, T G ) as defined in Lemma 4. Output: mpk := (P, A, A 1,...,A D, G, T G ) and msk := T A Enc(mpk, x, b): On input mpk, x X and b {0,1} k : Pick s R Z n, e R χ m, and compute c 0 := s A + e. For all i [D]: Pick R i { 1,1} m m. Compute c i := s ( A i + x i G ) + e R i. Set b := (b,0,...,0) {0,1} k+n, pick e R χ k+n, and compute c f := s P + e + b /2. Output: ct := (c 0, c 1,...,c D, c f ) KeyGen(mpk,msk, Y): On input mpk, msk, and Y Y, do: Secret share P as {P i,i [D]}, such that D P i = P. For all i [D] and j [T ]: If Y i,j = 1 then sample a short matrix U i,j Z 2m (k+n) [ A Ai + j G ] U i,j = P i such that using RightSample(A, T A, A i + j G, P i,σ) with σ = O( n log ). 20
21 Otherwise set U i,j :=. Output the secret key sk Y = (U 1,1,...,U D,T ). Dec(mpk,sk Y,ct): On input the public parameters mpk, a secret key sk Y = (U 1,1,...,U D,T ) for a predicate matrix Y, and a ciphertext ct = (c 0, c 1,...,c D, c f ), do: For all x = (x 1,..., x D ) [T ]D, compute d x := c f D [ ] c0 c i Ui,x mod. i dx If /2 {0,1} k 0 n for exactly one vector x [T ] D, then output the first k bits of z [0,1], we denote by z the closest integer of z. Otherwise, abort. dx /2. For any Correctness. Lemma 20. Suppose that parameters χ max is such that χ max /4 (1 + D ( m) s 2m ) 1. where s = σ ω( logn). Let sk Y = (U 1,1,...,U D,T ) KeyGen(mpk,msk, Y), ct = (c 0,...,c D+1 ) Enc(mpk, x, b), and d Dec(mpk,sk Y,ct) If P(x, Y) = 1, then with overwhelming probability in n, Dec does not abort and d = b. The proof of Lemma 20 is essentially the same than the proof of Lemma 13, for P ANDOREQ. We refer to the latter for further details. Proof of Security. Lemma 21. For any adversary A, there exists an adversary B whose running time is roughly the same as that of A and such that AdvA PE (n) AdvdLWE n,m+n+k,,χ + negl(n) We proceed exactly as in Section 4.3 with the same auxiliary algorithms. B Auxiliary algorithms. Setup(1 n,x,y,m; A, P, x ): on n, X := [T ] D, Y := {0,1} T D, M := {0,1} k, A Z n m, P Z n (k+n) X, do the following: Compute (G, T G ) as defined in Lemma 4. For all i [D], pick R i { 1,1} m m and set A i := AR i x i G. Output mpk := (P, A, A 1,...,A D, G, T G ) and msk := (x, R 1,...,R D, T A ). Ẽnc(mpk, b; msk, d 0, d D+1 ): On mpk, b {0,1} k, msk, and the extra inputs d 0 Z m, d D+1 Z k+n following: Set c 0 := d 0, For all i [D], compute c i := d 0 R i, Compute b := (b,0,...,0) {0,1} k+n, and set c D+1 := d D+1 + b /2. and x do the 21
Riding on Asymmetry: Efficient ABE for Branching Programs
Riding on Asymmetry: Efficient ABE for Branching Programs Sergey Gorbunov and Dhinakaran Vinayagamurthy Abstract. In an AttributeBased Encryption ABE scheme the ciphertext encrypting a message µ, is associated
More informationBackground: Lattices and the LearningwithErrors problem
Background: Lattices and the LearningwithErrors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationAttributebased Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attributebased Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More information5.4 ElGamal  definition
5.4 ElGamal  definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationCompact Reusable Garbled Circuits. Dhinakaran Vinayagamurthy
Compact Reusable Garbled Circuits by Dhinakaran Vinayagamurthy A thesis submitted in conformity with the requirements for the degree of Master of Science Graduate Department of Computer Science University
More informationG Advanced Cryptography April 10th, Lecture 11
G.30001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationAn efficient variant of BonehGentryHamburg's identitybased encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences  Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of BonehGentryHamburg's
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationNew Proof Methods for AttributeBased Encryption: Achieving Full Security through Selective Techniques
New Proof Methods for AttributeBased Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomialtime decoding algorithm A such that: Given
More informationIdentityBased Encryption from the DiffieHellman Assumption
IdentityBased Encryption from the DiffieHellman Assumption Nico Döttling Sanjam Garg University of California, Berkeley Abstract We provide the first constructions of identitybased encryption and hierarchical
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosenplaintext
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, EeChien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationLecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
More informationRSAOAEP and CramerShoup
RSAOAEP and CramerShoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSAOAEP Preliminaries for the proof Proof of INDCCA2 security
More informationOutline. Provable Security in the Computational Model. III Signatures. PublicKey Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI PublicKey Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationInaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from OneWay Functions
Columbia University  Crypto Reading Group Apr 27, 2011 Inaccessible Entropy and its Applications Igor Carboni Oliveira We summarize the constructions of PRGs from OWFs discussed so far and introduce the
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationLecture 7: BonehBoyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: BonehBoyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the BonehBoyen IBE system,
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosenplaintext attack (CPA) is an attack model for cryptanalysis which
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A nontechnical account of the history of publickey cryptography and the colorful characters involved. 2 / 1 Recall
More informationLeakageresilient Attributebased Encryptions with Fast Decryption: Model, Analysis and Construction
Leakageresilient ttributebased Encryptions with Fast Decryption: Model, nalysis and Construction Mingwu Zhang,, Wei Shi, Chunzhi Wang, Zhenhua Chen,Yi Mu May 1, 2013 bstract Traditionally, in attributebased
More informationNonInteractive ZK:The FeigeLapidotShamir protocol
NonInteractive ZK: The FeigeLapidotShamir protocol April 20, 2009 Remainders FLS protocol Definition (Interactive proof system) A pair of interactive machines (P, V ) is called an interactive proof
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More informationIDbased Encryption Scheme Secure against Chosen Ciphertext Attacks
IDbased Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {caozf,
More informationMultiInput Functional Encryption
MultiInput Functional Encryption S. Dov Gordon Jonathan Katz FengHao Liu Elaine Shi HongSheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling finegrained access to encrypted
More informationFHE Circuit Privacy Almost For Free
FHE Circuit Privacy Almost For Free Florian Bourse, Rafaël Del Pino, Michele Minelli, and Hoeteck Wee ENS, CNRS, INRIA, and PSL Research University, Paris, France {fbourse,delpino,minelli,wee}@di.ens.fr
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical publickey
More informationLecture 11: Hash Functions, MerkleDamgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, MerkleDamgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review CollisionResistant Hash Functions
More informationLecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security
Lecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationOAEP Reconsidered. Victor Shoup. IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland
OAEP Reconsidered Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com February 13, 2001 Abstract The OAEP encryption scheme was introduced by Bellare and
More informationProperty Preserving Symmetric Encryption Revisited
Property Preserving Symmetric Encryption Revisited Sanjit Chatterjee 1 and M. Prem Laxman Das 2 1 Department of Computer Science and Automation, Indian Institute of Science sanjit@csa.iisc.ernet.in 2 Society
More informationInstantiating the Dual System Encryption Methodology in Bilinear Groups
Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters Motivation classical public key cryptography: Alice Bob Eve Motivation functional encryption:
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad  Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationLattice Basis Delegation in Fixed Dimension and ShorterCiphertext Hierarchical IBE
Lattice Basis Delegation in Fixed Dimension and ShorterCiphertext Hierarchical IBE Shweta Agrawal 1, Dan Boneh 2, and Xavier Boyen 3 1 University of Texas, Austin 2 Stanford University 3 Université de
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationFunctional Encryption: Decentralized and Delegatable
Functional Encryption: Decentralized and Delegatable Nishanth Chandran Vipul Goyal Aayush Jain Amit Sahai Abstract Recent advances in encryption schemes have allowed us to go far beyond point to point
More informationOn Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles
A preliminary version of this paper appears in Advances in Cryptology  CRYPTO 2008, 28th Annual International Cryptology Conference, D. Wagner ed., LNCS, Springer, 2008. This is the full version. On Notions
More informationA Beginner s Guide To The General Number Field Sieve
1 A Beginner s Guide To The General Number Field Sieve Michael Case Oregon State University, ECE 575 case@engr.orst.edu Abstract RSA is a very popular public key cryptosystem. This algorithm is known to
More information15 PublicKey Encryption
15 PublicKey Encryption So far, the encryption schemes that we ve seen are symmetrickey schemes. The same key is used to encrypt and decrypt. In this chapter we introduce publickey (sometimes called
More informationEfficient Conversion of Secretshared Values Between Different Fields
Efficient Conversion of Secretshared Values Between Different Fields Ivan Damgård and Rune Thorbek BRICS, Dept. of Computer Science, University of Aarhus Abstract. We show how to effectively convert a
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer and Victor Shoup 1 BRICS & Dept. of Computer Science, Aarhus University. cramer@brics.dk 2
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationBonsai Trees, or How to Delegate a Lattice Basis
Bonsai Trees, or How to Delegate a Lattice Basis David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert Abstract. We introduce a new latticebased cryptographic structure called a bonsai tree, and
More informationUniversal Samplers with Fast Verification
Universal Samplers with Fast Verification Venkata Koppula University of Texas at Austin kvenkata@csutexasedu Brent Waters University of Texas at Austin bwaters@csutexasedu January 9, 2017 Andrew Poelstra
More informationCompactness vs Collusion Resistance in Functional Encryption
Compactness vs Collusion Resistance in Functional Encryption Baiyu Li Daniele Micciancio April 10, 2017 Astract We present two general constructions that can e used to comine any two functional encryption
More informationAnonymous Proxy Signature with Restricted Traceability
Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong Outline Introduction Motivation and Potential Solutions Anonymous Proxy
More informationDeniable Attribute Based Encryption for Branching Programs from LWE
Deniable Attribute Based Encryption for Branching Programs from LWE Daniel Apon Xiong Fan FengHao Liu Abstract Deniable encryption (Canetti et al. CRYPTO 97) is an intriguing primitive that provides a
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationLecture 6. 2 AdaptivelySecure NonInteractive ZeroKnowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationKlein s and PTW Attacks on WEP
TTM4137 Wireless Security Klein s and PTW Attacks on WEP Anton Stolbunov NTNU, Department of Telematics version 1, September 7, 2009 Abstract These notes should help for an indepth understanding of the
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRSbased NIZK shuffle argument OUR RESULTS
More informationRevocable IdentityBased Encryption from Lattices
Revocable IdentityBased Encryption from Lattices Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Khoa Nguyen Nanyang Technological University, Singapore s080001@e.ntu.edu.sg {hoonwei,lingsan,hxwang}@ntu.edu.sg
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationPERFECTLY secure key agreement has been studied recently
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 45, NO. 2, MARCH 1999 499 Unconditionally Secure Key Agreement the Intrinsic Conditional Information Ueli M. Maurer, Senior Member, IEEE, Stefan Wolf Abstract
More informationOptimal Error Rates for Interactive Coding II: Efficiency and List Decoding
Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Mohsen Ghaffari MIT ghaffari@mit.edu Bernhard Haeupler Microsoft Research haeupler@cs.cmu.edu Abstract We study coding schemes
More informationLattices. A Lattice is a discrete subgroup of the additive group of ndimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of ndimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationEfficient Selective IdentityBased Encryption Without Random Oracles
Efficient Selective IdentityBased Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity
More informationProxy Reencryption from Lattices
Proxy Reencryption from Lattices Elena Kirshanova Horst Görtz Institute for ITSecurity Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de Abstract. We propose a new unidirectional
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationDomain Extension of Public Random Functions: Beyond the Birthday Barrier
Domain Extension of Public Random Functions: Beyond the Birthday Barrier Ueli Maurer Stefano Tessaro Department of Computer Science ETH Zurich 8092 Zurich, Switzerland {maurer,tessaros}@inf.ethz.ch Abstract
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationRing Group Signatures
Ring Group Signatures Liqun Chen HewlettPackard Laboratories, Long Down Avenue, Stoke Gifford, Bristol, BS34 8QZ, United Kingdom. liqun.chen@hp.com Abstract. In many applications of group signatures,
More informationEcient Public Trace and Revoke from Standard Assumptions
Ecient Public Trace and Revoke from Standard Assumptions Shweta Agrawal 1, Sanjay Bhattacherjee 2, Duong Hieu Phan 3, Damien Stehlé 4, and Shota Yamada 5 1 IIT Madras, India 2 Turing Lab, ISI Kolkata,
More informationPrivacy of Numeric Queries Via Simple Value Perturbation. The Laplace Mechanism
Privacy of Numeric Queries Via Simple Value Perturbation The Laplace Mechanism Differential Privacy A Basic Model Let X represent an abstract data universe and D be a multiset of elements from X. i.e.
More informationRandomnessDependent Message Security
RandomnessDependent Message Security Eleanor Birrell KaiMin Chung Rafael Pass Sidharth Telang December 28, 2012 Abstract Traditional definitions of the security of encryption schemes assume that the
More informationLeakageResilient ChosenCiphertext Secure PublicKey Encryption from Hash Proof System and OneTime Lossy Filter
LeakageResilient ChosenCiphertext Secure PublicKey Encryption from Hash Proof System and OneTime Lossy Filter Baodong Qin Shengli Liu October 9, 2013 Abstract We present a new generic construction
More informationLecture 38: Secure Multiparty Computation MPC
Lecture 38: Secure Multiparty Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More information5 PublicKey Encryption: Rabin, BlumGoldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 PublicKey Encryption: Rabin, BlumGoldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationLARA A Design Concept for Latticebased Encryption
LARA A Design Concept for Latticebased Encryption Rachid El Bansarkhani Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraÿe 10, 64289 Darmstadt,
More informationObfuscating ComputeandCompare Programs under LWE
Obfuscating ComputeandCompare Programs under LWE Daniel Wichs Giorgos Zirdelis August 15, 2017 Abstract We show how to obfuscate a large and expressive class of programs, which we call computeandcompare
More informationPoint Obfuscation and 3round ZeroKnowledge
Point Obfuscation and 3round ZeroKnowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3round proofs and arguments with negligible
More informationCryptographic Hardness Assumptions
Chapter 2 Cryptographic Hardness Assumptions As noted in the previous chapter, it is impossible to construct a digital signature scheme that is secure against an allpowerful adversary. Instead, the best
More informationAnonymous IBE from Quadratic Residuosity with Improved Performance
Anonymous IBE from Quadratic Residuosity with Improved Performance Michael Clear, Hitesh Tewari, Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin Keywords: Identity Based
More informationSymmetric Encryption
1 Symmetric Encryption Mike Reiter Based on Chapter 5 of Bellare and Rogaway, Introduction to Modern Cryptography. Symmetric Encryption 2 A symmetric encryption scheme is a triple SE = K, E, D of efficiently
More informationToward Basing Fully Homomorphic Encryption on WorstCase Hardness
Toward Basing Fully Homomorphic Encryption on WorstCase Hardness Craig Gentry IBM T.J Watson Research Center cbgentry@us.ibm.com Abstract. Gentry proposed a fully homomorphic public key encryption scheme
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationMultiDimensional Range Query over Encrypted Data 1
MultiDimensional Range Query over Encrypted Data 1 Elaine Shi John Bethencourt TH. Hubert Chan Dawn Song Adrian Perrig May 2006. Updated: March 2007. CMUCS06135 School of Computer Science Carnegie
More informationThe KnowledgeofExponent Assumptions and 3Round ZeroKnowledge Protocols
The KnowledgeofExponent Assumptions and 3Round ZeroKnowledge Protocols Mihir Bellare and Adriana Palacio Dept. of Computer Science & Engineering, University of California, San Diego 9500 Gilman Drive,
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More information8.1 Principles of PublicKey Cryptosystems
Publickey cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationAnswering Many Queries with Differential Privacy
6.889 New Developments in Cryptography May 6, 2011 Answering Many Queries with Differential Privacy Instructors: Shafi Goldwasser, Yael Kalai, Leo Reyzin, Boaz Barak, and Salil Vadhan Lecturer: Jonathan
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 20060207 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationFrom Weak to Strong ZeroKnowledge and Applications
From Weak to Strong ZeroKnowledge and Applications KaiMin Chung Academia Sinica kmchung@iis.sinica.edu.tw Edward Lui Cornell University luied@cs.cornell.edu January 20, 205 Rafael Pass Cornell University
More informationEfficient Computationally Private Information Retrieval From Anonymity or Trapdoor Groups
Efficient Computationally Private Information Retrieval From Anonymity or Trapdoor Groups Jonathan Trostle and Andy Parrish Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd. Laurel,
More informationLearning to Impersonate
Learning to Impersonate Moni Naor Guy N. Rothblum Abstract Consider Alice, who is interacting with Bob. Alice and Bob have some shared secret which helps Alice identify Bobimpersonators. Now consider
More informationIndifferentiability of Iterated EvenMansour Ciphers with NonIdealized KeySchedules: Five Rounds are Necessary and Sufficient
Indifferentiability of Iterated EvenMansour Ciphers with NonIdealized KeySchedules: Five Rounds are Necessary and Sufficient Yuanxi Dai, Yannick Seurin, John Steinberger, and Aishwarya Thiruvengadam
More information