Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

Similar documents
Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

From Minicrypt to Obfustopia via Private-Key Functional Encryption

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

Private Puncturable PRFs from Standard Lattice Assumptions

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Shai Halevi IBM August 2013

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

From FE Combiners to Secure MPC and Back

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Obfuscation and Weak Multilinear Maps

Lattice-Based Non-Interactive Arugment Systems

6.892 Computing on Encrypted Data October 28, Lecture 7

Output-Compressing Randomized Encodings and Applications

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

On Homomorphic Encryption and Secure Computation

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Foundations of Homomorphic Secret Sharing

1 Public-key encryption

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Graded Encoding Schemes from Obfuscation

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

Multi-Input Functional Encryption

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Graded Encoding Schemes from Obfuscation

Fully Homomorphic Encryption and Bootstrapping

Linear Multi-Prover Interactive Proofs

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Computing with Encrypted Data Lecture 26

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

III. Pseudorandom functions & encryption

Computing on Encrypted Data

Modern symmetric-key Encryption

1 Secure two-party computation

On the Communication Complexity of Secure Function Evaluation with Long Output

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Fully Homomorphic Encryption from LWE

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Bootstrapping Obfuscators via Fast Pseudorandom Functions

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Introduction to Cryptography. Lecture 8

Succinct Garbling Schemes from Functional Encryption through a Local Simulation Paradigm

On the Complexity of Compressing Obfuscation

Packing Messages and Optimizing Bootstrapping in GSW-FHE

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Fully Homomorphic Encryption over the Integers

Fully Key-Homomorphic Encryption and its Applications

Alex Lombardi. at the. June 2018

Identity Based Encryption

Public-Seed Pseudorandom Permutations

Constrained Keys for Invertible Pseudorandom Functions

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

How Fast Can We Obfuscate Using Ideal Graded Encoding Schemes

A Comment on Gu Map-1

Better Security for Functional Encryption for Inner Product Evaluations

from Standard Lattice Assumptions

Gentry s Fully Homomorphic Encryption Scheme

Private Puncturable PRFs From Standard Lattice Assumptions

Unbounded Inner Product Functional Encryption from Bilinear Maps

Homomorphic Secret Sharing for Low Degree Polynomials

Decentralizing Inner-Product Functional Encryption

Disjunctions for Hash Proof Systems: New Constructions and Applications

Dan Boneh. Stream ciphers. The One Time Pad

When does Functional Encryption Imply Obfuscation?

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Evaluating 2-DNF Formulas on Ciphertexts

Quantum-secure symmetric-key cryptography based on Hidden Shifts

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Cryptanalysis of branching program obfuscators

New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Doubly half-injective PRGs for incompressible white-box cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

On Kilian s Randomization of Multilinear Map Encodings

Public-seed Pseudorandom Permutations EUROCRYPT 2017

Obfuscating Compute-and-Compare Programs under LWE

k-round MPC from k-round OT via Garbled Interactive Circuits

Lightweight Symmetric-Key Hidden Vector Encryption without Pairings

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Standard versus Selective Opening Security: Separation and Equivalence Results

Lecture 2: Program Obfuscation - II April 1, 2009

Foundations of Homomorphic Secret Sharing

On the CCA1-Security of Elgamal and Damgård s Elgamal

Hierarchical Functional Encryption

Multilinear Maps from Obfuscation

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Background: Lattices and the Learning-with-Errors problem

Public-Key Encryption with Simulation-Based Selective-Opening Security and Compact Ciphertexts

Transcription:

Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

Circuit Obfuscation Compile a circuit C into Ĉ that preserves functionality, and is unintelligible (resistant to reverse engineering) x C Obfuscator O x Ĉ y = C(x) y = C(x)

Indistinguishability Obfuscator io [BGI+01] Which one of two equivalent circuits C 1 C 2 is obfuscated? C 1 C 2, meaning Same size C 1 = C 2 Same truth table TB(C 1 ) = TB(C 2 ) { } { } io (C1) io (C2)

Balancing at the border of (in)security Candidate io [GGHRSW13,BR14,BGKPS14,PST14,GLSW14,AGIS14,Zim15, AB15,GMMSSZ16,DGGMM16,Lin16,LV16,AS16,Lin16b,LT17] Graded Encodings [GGH13] Direct Attack [MSZ16,ADGM1 7,CGH17] Candidates [GGH13,CLT13, GGH15,CLT15] Zeroizing Attacks [GGH13,CHL15, GHMS14,BWZ14, CGH15]

What objects and assumptions imply IO? Beefing Up Security Reduction Heavy GES Local PRG Light GES

Degree-L of GES Support evaluation of degree-l polynomials More secure Potentially easier to find algebraic instantiation High-deg GES Low-deg GES What power do low-deg GES have? Also, weaker functionality and security

Deg-poly GES [GGHRSW13.] Ideal model ~ Uber assump [PST14] MSEA [GLSW14,GGHZ16 + AJ15/BV15] Deg-O(1) GES [Lin16] DDH-like joint-sxdh [LV16] Deg-5 GES [AS16] Close to ideal model security Deg-5 MMap [Lin16b] SXDH Deg-3 MMap [LT17] SXDH Bilinear Map Locality O(1) PRG Locality 5 PRG Locality 4 PRG Impossible [MST03] Block Locality 3 PRG Block Locality 2 PRG Impossible [LV17,BBKK17]

(Asymmetric) Multilinear Maps [BS03,Rot13] Encode in group G L : [a] L = g a L Multiply: [a 1 ] [a i ] 1 i [a j ] j [a D ] D [a 1 a D ] D+1 Degree d (d = 2, Bilinear map ) Add/Sub: [a i ] L [a j ] L [a i + a j ] L Zero-Test (ZT): ZT( [a] L ) = 1 iff a = 0

Deg-d Mmap vs Deg-d GES [a 1 ] 1 Pairable [a i ] i [a j ] j [a n ] d [a 1 ] [a i ] Li [a j ] L1 Lj [a n ] Ln GES is stronger Functionality-wise: Support evaluation of more polynomials Security-wise: More control on what polynomials are prohibited label

[a 1 a 5 ] 6 [a 1 ] 1 [a 2 ] 2 [a 3 ] 3 [a 4 ] 4 [a 5 ] 5 SXDH: Classical DDH on EACH label source group { [a] L [b] L [ab] L } { } [a] L [b] L [r] L a, b, r ß R given { [1] } L L [5]

* In the rest of the talk, implicitly assume sub-exp security Main Theorem [Lin16b]: a construction of (sub-exp secure) IO from d-linear MMaps assuming sub-exp SXDH on d-linear MMaps sub-exp locality-d PRG sub-exp LWE Block Locality d PRG [LT17]

Blockwise Local PRGs Locality L [CEMT09, BQ12, OW14, AL16] L = 5 [Gol00,MST03,OW14] L < 5 impossible [MST03] Polynomial stretch y = s 234 y s Blockwise Locality BL y Block size b log(λ) s Input Blocks

Preliminary Study on Blockwise Local PRGs Goldreich s local functions with input bits replaced by blocks F 6,8,9 : y : = P : (s 6(:) ) y s BL When BL 3, G: graph a deg-bl G with bipartite good expansion graph, (unique P : 0,1 neighbor 9 JK expansion) {0,1} Do Not Exist :( * 1. Blockwise locality-3 Small-Bias Generators 2. For large b, a good expander G, and suitable P, F 6,8,9 is a high-locality Cool Attacks, function with next good Talk expansion, assumed to be OW and pseudorandom by [AR16] * Small window of expansion, not known to be sufficient for IO 3. Hardness amplification

io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Deg-d MMap w/ SXDH Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Recursively Compose IPE [ABDP15]

Functional Encryption --- Encryption with partial decryption keys msk ß Setup(1 n ) Enc(msk, m): Dec( sk C, ct ): Keygen(msk, C): ct(m) sk(c) ct(m) sk(c) y = C(m) Semantic Security:, m 2, m P C, s.t. C V (m 2 : ) = C V (m P : ) 2 ct m : : sk C V V P ct m : sk C V V :

Functional Encryption msk ß Setup(1 n ) Enc(msk, m): ct(m) Keygen(msk, C): Non-Compact: T Enc = poly(λ, m, C ) (Weakly) Compact T Enc = poly(λ, m ) C 1-ε Linear efficiency T Enc = poly(λ) m sk(c)

io Bootstrapping [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]

Randomized Encodings (RE) [AIK04] Represent a complex computation, by a simpler computation f x = y NC 2 RE ] x; r = Π NC c d Deg RE g = 4 Importantly, deg 1 in x and deg 3 in r s.t., Π encodes y, and reveals nothing else

Use RE for Low-Deg Computation [Lin16, LV16] Goal: 1-key FE for NC 1 compact CT(x) SK(f) Tool: Deg-d FE linearly efficient CT(x, r) SK(RE ] ) Compact? T Enc = poly λ x, r poly λ f 2op Deg(FE) = Deg RE g = 4 Need, Randomness Efficient RE r < f 1oε

Use PRG for Randomness Efficiency [Lin16, LV16] r = PRG s g(x, s) = RE ] x ; PRG s Compact s = r } }~ w.l.o.g. RE has r = O f è T Enc = x, s = f 2op Tool: deg-d FE linearly efficient CT(x, s) SK g Deg(FE) = Deg g = 3Deg PRG + 1 3 L + 1

io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17]

Preprocessing [Lin16,LV16] Goal: Decompose g into A, B s.t. g(x, s) = RE ] x ; PRG s = B( A x, s ) CT(A(x, s)) SK B Compact T Enc = A(x, s) f 2op Deg(FE) = Deg B L

Pro-process Multiplication with x [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, x s poly(λ) f 2op A(x, s) = CT( x, s, x s ) SK B s.t. B A x, s Deg(FE) = Deg B Deg g 1 = g(x, s) &

Pro-process Multiplication between s [Lin16,LV16] Recall: RE has deg 1 in x & deg 3 in r g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Compact T Enc = A(x, s) x, s, s s f 2op f 2op CT( ) SK B s.t. B A x, s A(x, s) = x, s, s s Deg(FE) = Deg B Deg g 1 = g(x, s) &

g(x, s) = RE ] x ; PRG s = x : PRG s PRGˆ s PRG (s) Multiplication b/w random edges Hard to pre-compute compactly j k l L s } s Š s s Œ s sˆ}sˆšsˆ sˆœsˆ s } s Š s s Œ s s

g(x, s) = RE ] x ; PRG s Massage g into this form What can we pre-compute? Pre-Compute Multiplication b/w the same (random) edge, compactly L s s } s Š s s Œ s Ž Ž Ž Ž Ž s Š s s Œ s ŽŽ ŽŽ ŽŽ ŽŽ ŽŽ s Š s s Œ s s } s } s s

g(x, s) = RE ] x ; PRG s f x = {f : (x)} w.l.o.g f : = poly(λ) o.w. f = Yao(f, x; PRF(k)) m f {RE ] x; r i } = {RE } m f Then r i = poly λ & multiplication within r : r :V r : r :

RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : So far, r i = i th portion of PRG s Multiplication b/w random edges r 1 r i r m s

RE ] x; r i = {RE } m f r i = poly λ multiplication within r : r :V r : r : j k l Now, r 1j r ij r mj = PRG s j j Multiplication b/w same edges s j s k s l Poly(λ)

Pre-compute deg-3 monomials over each column So that, r :V r : r : can be computed in degree L è Deg(FE) = L # monomials = column s V = poly(λ)f 2op è Compactness Multiplication b/w same edges s j s k s l Poly(λ)

io Bootstrapping [LT17] [BNPW16] 1-key FE for NC 1 compact + Block-locality-dPRG 1. Deg(FE) = 3 L + 1 [Lin16,LV16] Bootstrapping via Randomized Encoding + local PRG 2. Deg(FE) = L [Lin16b,AS16] Preprocessing at Encryption time deg-d FE w/ linear efficiency 3. Deg(FE) = BL [LT17] Extend Preprocessing to Block Locality

Pre-compute Mult b/w blocks in each column [LT17] Pre-compute all monomials over each block, 2 ( ) = λ, many Pre-compute deg-3 mnmls over mnmls in each column poly λ, many s j s k log(λ) Poly(λ) s l

io Construction Step 1 + Block-locality-dPRG SK Functional Encryption Deg-d (SK) FE for Deg-d Polynomial with linear efficiency with linear efficiency Step 2 Degree Preserving Bootstrapping [LT17] Key Idea: Preprocessing! [Lin16b,AS16,LT17] Degree Preserving FE Construction [Lin16b] Key Idea: Compose IPE [ABDP15] Deg-d MMap w/ SXDH

Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d while hiding x [x 1 x d ] d+1 [x d ] d Functionality Security How to hide x? [x 1 ] 1 [x 2 ] 2 [x 3 ] 3

Bird s Eye View: Deg-d FE ç Deg-d Mmap Suppose we only want to compute x 1 x d, while hiding x [LV16] Security ç RE [AIK14] + Function Hiding IPE [x 1 x d ] d+1 RE.Decode [Lin16b] Security ç Recursively composing IPE [x 1 x d ] d+1 IPE: FE for inner products ç SXDH on Bilinear maps ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) [ RE (x 1 x d ; r) ] d ict(x 1 ) isk(x 2 ) ict(x r ) isk(r ) No Waste of Degree

FE Construction 4. Security Challenge 3. Deg-d FE from d-linear maps [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )

isk(u) ict(v) Inner Product Encryption Dec <u,v> Weak Functionality: Test if <u,v> is zero Public-key IPE ç DDH or LWE or Paillier [ABDP15,ALS16] Secret-key IPE, function hiding (i.e, hide both u, v) ç Bilinear map [KSW08,BJK15+LV16,DDM16] csk (u) = [ U ] cct(v) = [ V ] 1 0 Dec [<u,v>] 2 target group different source groups Canonical Form FH SK-IPE [This work]

The ABDP PK-IPE Scheme from DDH imsk : s ß Z ª impk : [s] = g s isk(y) : <s, y> y ict(x) : [-r] = g -r [rs + x] = g r s + x Dec < ict(x), isk(y) > = [-r <s, y>] + [<rs, y> + <x, y>] = [<x, y>]

FE Construction 4. Security Challenge 3. Deg-d FE [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )

qfe: SK-FE for Quadratic Poly Starting Point: Compute quadratic polynomials using inner products f(x) = Σ C ij x i x j = < C, x x > qmsk : S ß Z ª Š But, qct = n 2 qsk(f) = isk(c) : <S, C> C qct(x) = ict(x x) : [-r] [rs + x x]

qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext qmsk : S ß Z ª Š qsk(f) = isk(c) : <S, C> C But, S = n 2 qct is imcompressble qct(x) = ict(x x) : [-r] [rs + x x]

qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 Now, ict depends on (r, s 1, s 2, x) = O(n) qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x]

qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > qmsk : s 1 s 2 ß Z ª Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE ict[i,j] = [rs : 2 s V P + x : x V ] = [< x : s : 2, x V rs V P >] qsk(f) = isk(c) : <s 1 s 2, C> C qct(x) = ict(x x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )

qfe: SK-FE for Quadratic Poly f(x) = Σ C ij x i x j = < C, x x > Idea: Compress Ciphertext 1. Replace S with s 1 s 2 2. Generate ict using canonical FH IPE qmsk : s 1 s 2 ß Z ª qsk(f) = isk(c) : <s 1 s 2, C> C Linear Efficiency qct = n( cct + csk )=O(n) Security Hope FH IPE reveals only ict PK IPE Sec è ict hides x qct(x) : [-r] [r s 1 s 2 + x x] Dec cct(x : s : 2 ) csk(x V rs V P )

FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )

dfe: SK-FE for Deg-d Poly Starting Point: Compute deg-d polynomials using inner products f(x) = Σ C } x } x = < C, x d > MSK : S ß Z ª = x x SK(f) = isk(c) : <S, C> C But, FH IPE only compresses CT to n d/2 CT(x) = ict( x d ) : [-r] [rs + x d ]

New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) Deg-d Inner Product Dec <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : Weak Functionality: Test if inner product is zero Function hiding: Hide x 1, x 2,, x d-1, x d

New Tool: High-degree IPE (HIPE) --- Multi-input FE for computing high-degree inner product Canonical Deg-d HIPE hct 1 (x 1 ) hct d-1 (x d-1 ) hsk(x d ) = = = [X 1 ] 1 [X d-1 ] d-1 [X d ] d Deg-d Inner Product Dec [ ] : [ª] V [ ] d+1 <x 1, x 2,, x d-1, x d > = x : V This Work: Canonical Deg-d HIPE ç SXDH on Deg-d Mmaps

dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d MSK : s 1, s 2,, s d ß {0,1} ª SK(f) = isk(c) : < s d, C> C ict depends on (r, s 1,, s d, x) = O(n) CT(x) = ict( x d ) : [-r] [r s d + x d ]

dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C CT(x) = ict( x d ) : [-r] [r s d + x d ]

dfe: SK-FE for Deg-d Poly f(x) = < C, x d > Idea: Compress Ciphertext 1. Replace S with s d = s 1 s 2 s d 2. Generate ict using canonical FH HIPE MSK : s 1, s 2,, s d ß {0,1} ª SK(f) ict[i 1,,i d ] = [ rs 2 :} s o2 : ¹} s : + x :} x : ¹} x : ] = [ < x :} s 2 :} x : ¹} s o2 : ¹}, x : rs : > ] = isk(c) : < s d, C> C Dec CT(x) : [-r] hct 1 (x :} s 2 :} ) hct d-1 (x : ¹} rs o2 : ¹} ) hsk(x : rs : )

This work: Canonical FH Deg-d HIPE ç SXDH on Deg-d MMaps Canonical Canonical Canonical Recursion: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Deg-d Inner Product <x 1, x 2,, x d-1, x d V > = : [ª] V [ ] x : = < x 1 x 2 x d-1, x d > coordinate-wise multiplication Compute using Deg-(d-1) HIPE Compute using FH IPE

Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute deg-d-1 product hct 1 (x 2 2 ) hct d-2 (x 2 op ) hsk(x 2 o2 ) Dec [x 2 2 x 2 o2 ] hct 1 (x 2 : ) hct d-2 (x : op ) hsk(x : o2 ) Dec [x : 2 x : o2 ] hct 1 (x 2 ª ) hct d-2 (x ª op ) hsk(x ª o2 ) Dec [x ª 2 x ª o2 ] Encrypt x 1, x d-2, x d-1 one by one using deg-d HIPE Each row i with an independent hmsk i = [x 1 x 2 xd 1 ]

Canonical Canonical Canonical Idea: Deg-d HIPE ç Deg-d-1 HIPE + FH IPE Use deg-d-1 HIPE to compute cct(deg-d-1 product) hct 1 (X 2 2 ) hct d-2 (X 2 op ) hsk(x 2 o2 ) Dec cct 1 hct 1 (X 2 : ) hct d-2 (X : op ) hsk(x : o2 ) Dec cct i hct 1 (X 2» ) hct d-2 (X» op ) hsk(x» o2 ) Dec cct l = j Each X cct(x 1 x 2 xd 1 i depends only on xj and cmsk ) CT 1 (x 1 ) CT d-1 (x d-2 ) CT d-1 (x d-1 ) SK(x d ) csk(x d ) [ <x 1, x 2,, x d-1, x d > ]

FE Construction 4. Security Challenge 3. Deg-d FE Generalizing IPE to high degree, deg-d HIPE Use HIPE to compress N d -size ABDP CT [x 1 x d ] d+1 2. Quadratic FE from Bilinear maps 1. IPE ict(x 1 x d-1 ) isk(x d ) ict(x 1 x 2 x 2 ) ict(x 1 x 2 ) isk(x 3 ) ict(x 1 ) isk(x 2 )

Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 2. Sec of PK-IPE è ict hides x = or v ict(x x) : [-r] [r s 1 s 2 + x x] Need sec to hold for imsk = s 1 s 2 qct(x) : Dec [-r] cct(x : s : 2 ) csk(x V rs V P ) 1. FH of SK-IPE è only ict is revealed Need Simu Sec

Want: qct(u) qct(v), if f i (u) = f i (v) for all i qsk(f 1 ) = isk(c 1 ) qsk(f i ) = isk(c i ) qsk(f l ) = isk(c l ) 1. Change matrix x x row by row ict(x x) : [-r] [r s 2 ¼: s 2 + v ¼: v] [r s 2 : s 2 + u : u / v : v ] [r s 2 Á: s 2 + u Á: u ] qct(x) : [-r] Dec cct(x : s : 2 ) csk(x V rs V P ) 2. Use Ind-FH to emulate Sim-FH 3. Add offset in qsk to keep outputs same 4. SXDH è s : 2 s 2 U n

Lin16b: IO ç SXDH on DEG-5 Multi-linear Maps + locality-5 PRG + LWE LT17: IO ç SXDH on Trilinear Maps + Block-locality-3 PRG + LWE Bilinear Map

Thank you!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback