Projective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps

Similar documents
Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro

New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation

Obfuscation and Weak Multilinear Maps

A Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University

Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption

From Minicrypt to Obfustopia via Private-Key Functional Encryption

Lattice-Based Non-Interactive Arugment Systems

From FE Combiners to Secure MPC and Back

Private Puncturable PRFs from Standard Lattice Assumptions

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Shai Halevi IBM August 2013

Fully-secure Key Policy ABE on Prime-Order Bilinear Groups

Linear Multi-Prover Interactive Proofs

Fully Homomorphic Encryption and Bootstrapping

On the Complexity of Compressing Obfuscation

Indistinguishability Obfuscation from Constant-Degree Graded Encoding Schemes

Graded Encoding Schemes from Obfuscation. Interactively Secure Groups from Obfuscation

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Limits on the Locality of Pseudorandom Generators and Applications to Indistinguishability Obfuscation

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

Output Compression, MPC, and io for Turing Machines

Dual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits

Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption

Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation

Minimizing the Complexity of Goldreich s Pseudorandom Generator

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Output-Compressing Randomized Encodings and Applications

Succinct Garbling Schemes from Functional Encryption through a Local Simulation Paradigm

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation

Secure Arithmetic Computation with Constant Computational Overhead

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

6.892 Computing on Encrypted Data October 28, Lecture 7

Secure Computation. Unconditionally Secure Multi- Party Computation

When does Functional Encryption Imply Obfuscation?

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Post-Zeroizing Obfuscation: The case of Evasive Circuits

Function-Hiding Inner Product Encryption

Fast Cut-and-Choose Based Protocols for Malicious and Covert Adversaries

Verification of quantum computation

Fully Key-Homomorphic Encryption and its Applications

A Simple Obfuscation Scheme for Pattern-Matching with Wildcards

Practical CCA2-Secure and Masked Ring-LWE Implementation

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Benny Pinkas. Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

Cryptanalysis of branching program obfuscators

an information-theoretic model for adaptive side-channel attacks

On Zero-Testable Homomorphic Encryption and Publicly Verifiable Non-Interactive Arguments

Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Multiparty Computation

from Standard Lattice Assumptions

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Lecture 2: Program Obfuscation - II April 1, 2009

A survey on quantum-secure cryptographic systems

Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More

Hierarchical Functional Encryption

CS 355: TOPICS IN CRYPTOGRAPHY

Alex Lombardi. at the. June 2018

Lattice Cryptography

Graded Encoding Schemes from Obfuscation

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Attribute-based Encryption & Delegation of Computation

Classical hardness of Learning with Errors

Constraining Pseudorandom Functions Privately

Lossy Trapdoor Functions and Their Applications

On Homomorphic Encryption and Secure Computation

6.892 Computing on Encrypted Data September 16, Lecture 2

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

New and Improved Key-Homomorphic Pseudorandom Functions

A New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank

Delegating RAM Computations with Adaptive Soundness and Privacy

A Comment on Gu Map-1

Lattice Cryptography

Reducing Depth in Constrained PRFs: From Bit-Fixing to NC 1

Homomorphic Evaluation of the AES Circuit

Fully Homomorphic Encryption from LWE

Graded Encoding Schemes from Obfuscation

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

On error distributions in ring-based LWE

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Practical Bootstrapping in Quasilinear Time

Compactness vs Collusion Resistance in Functional Encryption

Securely Obfuscating Re-Encryption

Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography

Keyword Search and Oblivious Pseudo-Random Functions

Exploding Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness

Multilinear Maps from Obfuscation

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

A Study of Pair Encodings: Predicate Encryption in Prime Order Groups

CS 395T. Probabilistic Polynomial-Time Calculus

Homomorphic Secret Sharing for Low Degree Polynomials

Lecture 15 - Zero Knowledge Proofs

Transcription:

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai

Constructions of io All current constructions of io are based on multilinear maps [GGHRSW13, BR14, BGKPS14, PST14, AGIS14,, AB15, Zim15, GLSW15, GMMSZ16, Lin16a, LV16, Lin16b, ] Multilinear maps: generalization of bilinear maps Degree-D multilinear maps: can compute degree-d polynomials in the exponents of the group

What is the minimum degree of multilinear maps required to construct io? Ideal Goal: 2 32 [LV 16] large constant [Lin 16] poly(k) Original works [GGHRSW 13, BGKPS 14, ]: degree = polynomial in security parameter Lin 16: degree = constant LV 16: degree = 32

This Work io from degree-5 multinear maps Ideal Goal: 2 32 5 [LV 16] large constant [Lin 16] poly(k, C ) A new template to construct io from constant degree multilinear maps

Prior Works [Lin 16,LV 16] Constant Degree Mmaps Collusion-Resistant Functional Encryption for boolean circuits io

Prior Works [Lin 16,LV 16] Constant Degree Mmaps Collusion-Resistant Functional Encryption for boolean circuits io - MMap computations performed over large fields - To construct FE from mmaps: need to arithmetize the boolean circuits

Our Template Constant Degree Mmaps Projective Arithmetic FE for arithmetic circuits io - PAFE is a version of functional encryption for arithmetic circuits

Our Template (in detail) Degree-D Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-D polynomials (subexp. secure) + degree-d randomizing polynomials (Secret Key) Sub-linear FE for P (subexp. secure) [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Instantiation Degree-5 Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-5 polynomials (subexp. secure) io from degree-5 multilinear maps! + degree-5 randomizing polynomials (assumes degree-5 PRGs with poly stretch) (Secret Key) Sub-linear FE for P (subexp. secure) [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Instantiation Degree-5 Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-5 polynomials (subexp. secure) io from degree-5 multilinear maps! + degree-5 randomizing polynomials (assumes degree-5 PRGs with poly stretch) (Secret Key) Sub-linear FE for P (subexp. secure) CONCURRENT WORK: Lin 17 built io assuming joint SXDH on degree-5 mmaps [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Technical Overview

Our Template Degree-D Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-D polynomials (subexp. secure) + degreerandomizing polynomials (Secret Key) Sub-linear FE for P (subexp. secure) [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Projective Arithmetic FE FIRST ATTEMPT: (PAFE) Same syntax as FE for boolean circuits except that functional keys issued for polynomials (over large fields) Encryption of x + Key of polynomial p := p(x) ISSUE: Current techniques are a limiting factor! - If p(x) is large, we don t know how to construct this notion - Reason: Decryption in existing FE schemes yields Encoding(p(x)) and can decode only if p(x) is small

Projective Arithmetic FE (PAFE) p1 p2 p3 x Key Generation skp1 skp2 skp3 Encryption Enc(x) + Projective Decrypt + + ENCODINGS: p1(x) p2(x) p3(x) Can recover linear function of (p1(x),p2(x),p3(x), ) if output of linear function is small

Efficiency Linear Overhead: Size of encryption of y := y poly(k,d) D - degree of polynomials Security Semi-functional security: Inspired by ABE literature [Wat09,LOS+10,,GGHZ14] Captures a weak form of function hiding

Our Template Degree-D Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-D polynomials (subexp. secure) + degree-d randomizing polynomials (Secret Key) Sub-linear FE for P (subexp. secure) [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Sub-linear (Secret Key) FE for Boolean circuits SUB-LINEARITY Enc(x) = C e poly(k, x ) ; e <1

Randomizing Polynomials Encode C p1 p2 pn (x, r) + + + Decode p1(x,r) + p2(x,r) + pn(x,r) = C(x) If all pi is of degree D then it is a degree-d randomizing polynomial

Construction of Sub-linear FE Key Generation of C: Randomizing Polynomial of C C p1 p2 pn PAFE key generation of p1,,pn skp1 skp2 skpn Functional key of C = (skp1,, skpn)

Construction of Sub-linear FE Key Generation of C: C p1 p2 pn skp1 skp2 skpn Encryption of x: x (x, r) r

Construction of Sub-linear FE Key Generation of C: C p1 p2 pn Encryption of x: SUB-LINEARITY PROPERTY of randomizing polynomials: r is sublinear in the length of circuit description skp1 skp2 skpn x (x, r) r

Construction of Sub-linear FE Decryption (INTUITION): - Execute PAFE ProjectiveDecrypt - Execute Recover to obtain encoding of (C,x) - Execute the decoding procedure

Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: - Consider degree-3 randomizing polynomials [AIK 06] (without sub-linearity property) - Compress randomness using PRGs! - Use degree 5 PRGs (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Goldreich PRG candidate: Analysed by O Donnell and Witmer'14 - Consider degree-3 randomizing polynomials [AIK 06] (without sub-linearity property) - Compress randomness using PRGs! - Use degree 5 PRGs (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: - Consider degree-3 randomizing polynomials [AIK 06] (without sub-linearity property) Degree-5 randomizing polynomials: - Compress We randomness use pre-processing using PRGs! trick! - (pre-compute Use some degree partial 5 PRGs terms ahead of time) (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

Our Template Degree-D Multilinear maps (subexp. secure) Projective Arithmetic FE for Degree-D polynomials (subexp. secure) + degreerandomizing polynomials (Secret Key) Sub-linear FE for P (subexp. secure) [BNPW16, LPST15, AJ15, BV15] + sub-exponential LWE io

Slotted Encodings An abstraction of composite order multi-linear maps Encoding of (a,b,c) w.r.t color: a b c Addition w.r.t same color: + a1 b1 c1 a2 b2 c2 = a1+a2 b1+b2 c1+c2 Multiplication w.r.t compatible colors: a1 b1 c1 * = a2 b2 c2 a1*a2 b1*b2 c1*c2 Zero Test w.r.t color red: a b c is ZERO if and only if a+b+c=0

Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 a1 b1 c1, a2 b2 c2

Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u1, u2, u3, v1, v2, v3 a1u1 + b1u2 + c1u3, a2v1 + b2v2 + c2v3 such that <ui,vj> = 1, if i=j = 0, otherwise

Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u1, u2, u3, v1, v2, v3 Dual vector spaces! [OT08,OT09,BJK15] a1u1 + b1u2 + c1u3, a2v1 + b2v2 + c2v3 such that <ui,vj> = 1, if i=j = 0, otherwise

Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 < a1u1 + b1u2 + c1u3, a2v1 + b2v2 + > c2v3 = a1a2 + b1b2 + c1c2

Degree-D Slotted Encodings from Degree-D Prime order mmap Higher (constant) degrees: tensoring of dual vector spaces Example: Degree=3 < a1w1u1 + b1w2u2 + c1w3u3, a2v1 + b2v2 + > c2v3 = a1a2w1 + b1b2w2 + c1c2w3,

Construction of PAFE (Intuition) Setup: Pick R1,,Rn Encryption of x: x1 R1 0 x2 R2 0 xn Rn 0 Key Generation of polynomial p: p, 0 p(r1,,rn) 0 WHY IS IT SECURE? p(r1,,rn) in second slot forces homomorphic evaluation of p on ciphertext encodings

Construction of PAFE (Intuition) Setup: Pick R1,,Rn Encryption of x: x1 R1 0 x2 R2 0 xn Rn 0 Key Generation of polynomial p: p, 0 p(r1,,rn) 0 MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

Construction of PAFE (Intuition) Setup: Pick R1,,Rn Encryption of x: x1 R1 0 x2 R2 0 xn Rn 0 Key Generation of polynomial p: p, Prevented by having 0 p(r1,,rn) ciphertext-specific" 0 checks! MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

Conclusions A new template for io from degree-5 multilinear maps. [Lin-Tessaro 17]: io from degree-3 multilinear maps [Lin-Tessaro 17]: Show degree-d block-wise local PRGs + degree-d mmaps imply io

Future Directions Explore notions of degree-2 PRGs that suffice to construct io This would yield io from bilinear maps Negative Results on degree-2 PRGs [BBKK 17, LV 17]

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback