From Minicrypt to Obfustopia via Private-Key Functional Encryption

Similar documents
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

Fully Key-Homomorphic Encryption and its Applications

Riding on Asymmetry: Efficient ABE for Branching Programs

6.892 Computing on Encrypted Data October 28, Lecture 7

Hierarchical Functional Encryption

Function-Hiding Inner Product Encryption

Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

On the Achievability of Simulation-Based Security for Functional Encryption

Bootstrapping Obfuscators via Fast Pseudorandom Functions

A Comment on Gu Map-1

Private Puncturable PRFs from Standard Lattice Assumptions

From FE Combiners to Secure MPC and Back

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Multi-Input Functional Encryption

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Searchable encryption & Anonymous encryption

A New Functional Encryption for Multidimensional Range Query

Fully Key-Homomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits

Reusable Garbled Circuits and Succinct Functional Encryption

Fully Homomorphic Encryption from LWE

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

On the Complexity of Compressing Obfuscation

When does Functional Encryption Imply Obfuscation?

APPLICATIONS OF (INDISTINGUISHABILITY) OBFUSCATION

On i-hop Homomorphic Encryption

Non-Interactive Secure Multiparty Computation

Multi-Input Functional Encryption for Unbounded Arity Functions

Shai Halevi IBM August 2013

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS

Public-Key Encryption

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Computing with Encrypted Data Lecture 26

Cryptology. Scribe: Fabrice Mouhartem M2IF

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Lecture 28: Public-key Cryptography. Public-key Cryptography

Output-Compressing Randomized Encodings and Applications

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Attribute-based Encryption & Delegation of Computation

Bounded Key-Dependent Message Security

Fully Homomorphic Encryption and Bootstrapping

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Succinct Functional Encryption and Applications: Reusable Garbled Circuits and Beyond

Adaptively Secure Constrained Pseudorandom Functions

Bounded KDM Security from io and OWF

On the Communication Complexity of Secure Function Evaluation with Long Output

Identity Based Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Classical hardness of Learning with Errors

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Functional Encryption: Decentralized and Delegatable

Compact Reusable Garbled Circuits. Dhinakaran Vinayagamurthy

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

Fully Homomorphic Encryption over the Integers

CPA-Security. Definition: A private-key encryption scheme

i-hop Homomorphic Encryption Schemes

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Spooky Encryption and its Applications

Leakage-Resilient Public-Key Encryption from Obfuscation

Differing-Inputs Obfuscation and Applications

Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes

Obfuscation and Weak Multilinear Maps

On the power of non-adaptive quantum chosen-ciphertext attacks

Reusable Garbled Deterministic Finite Automata from Learning With Errors

Decentralizing Inner-Product Functional Encryption

Lecture 18: Message Authentication Codes & Digital Signa

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness

Non- browser TLS Woes

Constrained PRFs for Unbounded Inputs with Short Keys

Lattice Based Crypto: Answering Questions You Don't Understand

Computing on Encrypted Data

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Constrained PRFs for NC 1 in Traditional Groups

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Manipulating Data while It Is Encrypted

Obfuscating Compute-and-Compare Programs under LWE

Applied cryptography

from Standard Lattice Assumptions

On Homomorphic Encryption and Secure Computation

Function-Private Subspace-Membership Encryption and Its Applications

1 Public-key encryption

Evaluating 2-DNF Formulas on Ciphertexts

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Tightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

1 Secure two-party computation

1 Number Theory Basics

Targeted Homomorphic Attribute Based Encryption

Fully Bideniable Interactive Encryption

Robust Non-Interactive Multiparty Computation Against Constant-Size Collusion

Delegating RAM Computations with Adaptive Soundness and Privacy

Transcription:

From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University)

Functional Encryption [Sahai-Waters 05] Enc pk m f Alice Public key pk Server Learns f m and nothing else about m sk f Bob Master secret key msk 2

Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m k 0 and Enc msk m, server can learn whether m 0, but nothing else! 3

Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 4

Private-Key Functional Encryption Enc msk m f Alice msk sk f Server Learns only f m Security (Ind-based): Server sees keys for f 1,, f l and encryptions of m 1,, m k. 0 k 0 and Enc msk Enc Enc msk mmsskk Enc msk m mm m, server can learn whether mm 0, but nothing else! Can learn f i m j but nothing else. Positivity-Revealing Encryption: Given s k 0 0 and Enc msk m, server can 5

Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO 2012 [GKPVZ13] Goldwasser, Kalai, Popa, Vaikuntanathan, Zeldovich. Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, Halevi, Raykova, Sahai, Waters: Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO 2015 6

Known Constructions of Functional Encryption Schemes (Highlights) # keys Bounded Bounded Unbounded Ciphertext Long Short Short Assumption OWF/PKE [GVW12] LWE [GKPVZ13] io [GGHRSW13, W15] [GVW12] Gorbunov, Vaikuntanathan, Wee: Functional Encryption with Bounded Collusions via Multi-party Computation. CRYPTO Main 2012 question: [GKPVZ13] Goldwasser, Kalai, Is Popa, io Vaikuntanathan, necessary Zeldovich. for FE Reusable garbled circuits and succinct functional encryption. STOC 2013 [GGHRSW13] Garg, Gentry, with Halevi, unbounded Raykova, Sahai, Waters: keys? Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits. FOCS 2013 [W14] Waters: A Punctured Programming Approach to Adaptively Secure Functional Encryption. CRYPTO 2015 7

Does FE imply io? 8

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. 9

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. 10

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. 11

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE 12

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io 13

Does FE imply io? Public-key FE (w. sub-exp security): YES [AJ15,BV15]. Private-key FE: up until recently, we only knew it implies OWFs. Best possible via black-box constructions [AS15]. Bitansky et al. [BNPW16]: sub-exp-secure private-key FE & nearly exp-secure OWF imply PKE sub-exp-secure private-key FE & sub-exp-secure PKE imply io Non black-box component of [BKS16] 14

Does FE imply io? 15

Does FE imply io? # inputs Assumption Applications 16

Does FE imply io? # inputs Assumption O log n Trivial Applications 17

Does FE imply io? # inputs Assumption O log n Trivial O n Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications All applications of io 18

Does FE imply io? # inputs O log n O log n loglog n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] All applications of io 19

Does FE imply io? # inputs O log n O log n loglog n O log 1+δ n O n Assumption Trivial Sub-exp-secure Private-key FE [BKS16] Quasi-polysecure Privatekey FE [ThisWork] Sub-exp-secure Public-key FE [AJ15,BV15] Or Sub-exp-secure Private-key FE + PKE [BNPW16] Applications +nearly-exp OWF => PKE w. slight super-polynomial security [BNPW16] +sub-exp OWF => Public-key FE, PPAD hardness w. quasi-poly security All applications of io 20

Our Results xp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 21

Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. xp(log ε n) with inputs of length log 1+δ n. 22

Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Theorem: Quasi-poly-secure private-key FE implies io for circuits of Observation: size exp(log ε Such an io is sufficient for many n) with inputs of length log 1+δ applications! n. xp(log ε n) with inputs of length log 1+δ n. 23

Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. 24

Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Quasi-poly-secure private-key FE & sub-exp-secure OWF imply public-key FE for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 2: 25

Our Results xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. xp( log ε log log ε εε log ε nn) with inputs of length log 1+δ log log 1+δ 1+δδ log 1+δ nn. Observation: Such an io is sufficient for many applications! Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. Example Corollary 1: Recently: ]Kitagawa-Nishimaki- Quasi-poly-secure private-key Tanaka] FE & showed sub-exp-secure that secure of size private-key exp(log FE ε implies n) with io OWF imply public-key FE for circuits inputs of length log 1+δ n. Example Corollary 2: 26

PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly

PPAD-Hardness Summary [AKV04] [BPR15] The strong assumption VBB io Hardness Super-Poly [GPS16] Public-key FE Poly This Work Private-key FE Quasi-poly Open: Can be based on weaker/other assumptions? LWE, DDH TDF/PKE (impossible via SVL hardness [RSS17]).

2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k,enc msk m 1 and Enc msk m 2, server can learn whether m 1 m 2, but nothing else! 29

2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 30

2-Input Functional Encryption [GGG+ 14] Enc msk m 1, f Enc msk m 2 Alice msk sk f Server Learns only f m 1, m 2 k, Enc msk Enc Enc msk mmsskk Enc msk m 1 m 1 mm m 1 1 m 1 m 1 and Enc msk Enc Enc ms k mmsskk Enc msk m 2 m 2 mm m 2 2 m 2 m 2, server can learn whether m 1 mm m 1 1 m 1 t-input defined analogously. 31

Constructions of t-input FE Schemes [GGG+14] [BLR+15] [AJ15,BV15] [BKS16] This work Assumption io Multilinear Maps (idealized model) Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Quasi-poly-secure single-input private-key FE t - # of inputs Poly Poly Poly O(loglog n) log δ n 32

Constructions of t-input FE Schemes Assumption t - # of inputs [GGG+14] io Poly [BLR+15] Multilinear Maps (idealized model) Poly [AJ15,BV15] [BKS16] Sub-exp-secure single-input public-key FE Sub-exp-secure single-input private-key FE Poly O(loglog n) Remark: All of the schemes are selectively secure. ]BKS16] is adaptively secure. This work Quasi-poly-secure single-input private-key FE log δ n 33

Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs -input FE scheme 34

Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs tt-input FE We show a new generic transformation of any private-key t-input FE scheme into a private-key 2tinput FE 35

Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE We apply the transformation δ loglog n times and get a log δ n-input FE scheme 36

Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme tt-input FE Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. 37

Proof Overview Theorem: Quasi-poly-secure private-key FE implies io for circuits of size exp(log ε n) with inputs of length log 1+δ n. 1-input privatekey FE 2-input privatekey FE log δ n -input private-key FE io for log 1+δ n inputs og log 1+δ 1+δδ log 1+δ nn. og log 1+δ 1+δδ log 1+δ nn. loglog nn times and get a log δ log log δ δδ log δ nn -input FE scheme Apply the [GGG+14,BNPW16] transformation to get io for inputs of length log 1 + δ n. Apply the [GGG+14,BNPW16] transformation to get io 38

Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). 39

Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 40

Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t Proof: Key for the Encryption of the function C string i w.r.t input j The obfuscation of a circuit C contains {sk C } {ct i,j } i {0,1} log n,j t 41

Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 } t log(n) } } t function C string i w.r.t input j log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 42

Private-Key FE to io Theorem: t-input private-key FE implies io for circuits with inputs of length t log(n). E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) E.Dec( sk C sk sk C CC sk C, x 1 xx x 1 1 x 1,, x t xx x t tt x t ) ( x 1 xx x 1 Key 1 for x 1 the,, x t Encryption xx x t tt of the x t ) {0,1 t-input } t log(n) scheme is } } t function C string i w.r.t input j function private log(n) tt log(nn) } t log(n), return sk C sk sk C CC sk C } { ct i,j ct ct i,j ii,jj ct i,j } i {0,1 } log n,j t } } i {0,1 } log n,j t ii {0,1 } log n } } log n log n log log n n nn n log n } log n,jj t tt t } i {0,1 } log n,j t 43

From t-input FE to 2t-Input FE 44

From t-input FE to 2t-Input FE )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) 45

From t-input FE to 2t-Input FE msk t msk msk t tt msk t,kk) t-input scheme PRF key )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) 46

From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret key is (msk t, K) To generate a key for f x 1 1 1 x 1,, x t, y 1,, y t, 47

From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1 t-input,, xscheme t, y 1,, PRF ykey t, msk t msk msk t tt msk t,kk) )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) The master secret sk f key Keygen is (msk msk t, K) t, Gen f,k To generate a key for f x 1 1 1 x 1,, x t, y 1,, y t, Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) 48

From t-input FE to 2t-Input FE x 1,, x t xx x t tt x t f x 1,, x t f x 1,, x t ( y 1 yy y 1 1 y 1,, y tt-input yy yscheme t tt y t )=ff( PRF key x 1 xx x 1 1 x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t ). x 1,, x t xx x t tt x t, y 1 yy y 1 1 y 1,, y t yy y t tt y t x 1,, x t, y 1,, y t, msk t msk msk t tt msk t,kk) sk f Keygen msk t, Gen f,k )ced, cne, negyek, putes( FE t FE t = tte FE t = (Setup, Keygen, Enc, Dec) Gen The master secret f,k (x key 1,, x is (msk t ): t, K) msk x1,,x To generate a key for t = Setup(F K (x 1,, x t )) f x 1 1 1 x 1,, x t, y 1,, y t, Output Keygen(msk x1,,x t, f x1,,x t ) 49

From t-input FE to 2t-Input FE jj jj ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 50

From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an input y, j To encrypt an input y, j 51

From t-input FE to 2t-Input FE jj jj ct x,i Enc msk t, x, i ii To encrypt an input x, i To encrypt an input y, j To encrypt an Encryption input y, jof y, j: To encrypt an ct input y,j y, Keygen j msk t, AGG y,j,k AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 52

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i ct x,i Enc msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 53

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 54

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 55

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 56

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 57

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct y,1 Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 58

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: ct y,j Keygen msk t, AGG y,j,k ct ct y,1 y,t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 59

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen msk t, Gen f,k To encrypt an input x, i sk f ct x,1 ct x,t ct y,1 ct y,t sk fx 1,,x t ct ct y,1 y,t Dec(sk f, ct x,1,, ct x,t, ct y,1,, ct y,t ): 1. sk fx Dec(sk 1,,x t f, ct x,1,, ct x,t ) 2. To j: encrypt ct y,j an Dec(ct input y,j, y, ct x,1 j,, ct x,t ) 3. Ret Dec(f x1,,x t, ct y,1,, ct y,t ) ct x,i Enc msk t, x, i Encryption of y, j: f(x 1,, x t, y 1,, y t ) ct y,j Keygen msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 60

From t-input FE to 2t-Input FE The master secret key is (msk t, K) To Proof generate of security a key overview: for f x 1,, x t, y 1,, y t, sk 1. Make f Keygen AGG and t msk Gen t, Gen indep. of K f,k Using punctured PRFs + function privacy Dec(sk To encrypt f, ct(à x,1 la, an [BS15,KSY15,BKS16]), ct input x,t, ct y,1 x,, i, ct y,t ): ct x,i Enc t msk t, x, i 1. sk fx 2. Attack Dec(sk 1,,x t each x f, ct x,1,, ct x,t ) 1,, x t separately 2. To 3. j: encrypt Embed ct y,j an Dec(ct in every input y,j, ct y, x,1 j,, ct x,t ) y,j ahead of time the 3. Ret Dec(f encryption x1,,xencryption t, of ct y,1, w.r.t, ct msk of y,t ) y, x1 j:,,x t 4. Embed in sk ct fy,j ahead Keygen of time t msk the t key, AGG for y,j,k f x1,,x t To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 61

Questions? The master secret key is (msk t, K) To generate a key for f x 1,, x t, y 1,, y t, sk f Keygen t msk t, Gen f,k To encrypt an input x, i ct x,i Enc t msk t, x, i To encrypt an input y, j Encryption of y, j: ct y,j Keygen t msk t, AGG y,j,k To encrypt an input x, i Gen f,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Keygen(msk x1,,x t, f x1,,x t ) AGG y,j,k (x 1,, x t ): msk x1,,x t = Setup(F K (x 1,, x t )) Output Enc(msk x1,,x t, y, j) 62

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback