Results 1  10
of
38
Candidate indistinguishability obfuscation and functional encryption for all circuits
 In FOCS
, 2013
"... In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional ..."
Abstract

Cited by 169 (37 self)
 Add to MetaCart
In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the key SKC to decrypt a ciphertext CTx = Enc(x), yields the value C(x) but does not reveal anything else about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomialsize circuits. We accomplish this goal in three steps: • We describe a candidate construction for indistinguishability obfuscation for NC 1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles. • We show how to use indistinguishability obfuscation for NC 1 together with Fully Homomorphic Encryption (with decryption in NC 1) to achieve indistinguishability obfuscation for all circuits.
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
Attributebased encryption for circuits
 In STOC
"... In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure aga ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure against collusions of users, namely, given secret keys for polynomially many predicates, an adversary learns nothing about the message if none of the secret keys can individually decrypt the ciphertext. We present attributebased encryption schemes for circuits of any arbitrary polynomial size, where the public parameters and the ciphertext grow linearly with the depth of the circuit. Our construction is secure under the standard learning with errors (LWE) assumption. Previous constructions of attributebased encryption were for Boolean formulas, captured by the complexity class NC1. In the course of our construction, we present a new framework for constructing ABE schemes. As a byproduct of our framework, we obtain ABE schemes for polynomialsize branching programs, corresponding to the complexity class LOGSPACE, under quantitatively better assumptions.
Computing blindfolded: New developments in fully homomorphic encryption
 in Foundations of Computer Science (FOCS), 2011 IEEE 52nd Annual Symposium on. IEEE, 2011
"... Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, t ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
(Show Context)
Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead. 1.
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
Functional encryption: New perspectives and lower bounds
 Advances in Cryptology – CRYPTO ’13
, 2013
"... Functional encryption is an emerging paradigm for publickey encryption that enables finegrained control of access to encrypted data. In this work, we present new perspectives on security definitions for functional encryption, as well as new lower bounds on what can be achieved. Our main contributio ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Functional encryption is an emerging paradigm for publickey encryption that enables finegrained control of access to encrypted data. In this work, we present new perspectives on security definitions for functional encryption, as well as new lower bounds on what can be achieved. Our main contributions are as follows: • We show a lower bound for functional encryption that satisfies a weak (nonadaptive) simulationbased security notion, via pseudorandom functions. This is the first lower bound that exploits unbounded collusions in an essential way. • We put forth and discuss a simulationbased notion of security for functional encryption, with an unbounded simulator (called USIM). We show that this notion interpolates indistinguishability and simulationbased security notions, and has strong correlations to results and barriers in the zeroknowledge and multiparty computation literature.
Functionprivate identitybased encryption: Hiding the function in functional encryption
 Advances in Cryptology – CRYPTO ’13. Available as Cryptology ePrint Archive, Report 2013/283
, 2013
"... We put forward a new notion, function privacy, in identitybased encryption and, more generally, in functional encryption. Intuitively, our notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. This is motivated b ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We put forward a new notion, function privacy, in identitybased encryption and, more generally, in functional encryption. Intuitively, our notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. This is motivated by the need for providing predicate privacy in publickey searchable encryption. Formalizing such a notion, however, is not straightforward as given a decryption key it is always possible to learn some information on its corresponding identity by testing whether it correctly decrypts ciphertexts that are encrypted for specific identities. In light of such an inherent difficulty, any meaningful notion of function privacy must be based on the minimal assumption that, from the adversary’s point of view, identities that correspond to its given decryption keys are sampled from somewhat unpredictable distributions. We show that this assumption is in fact sufficient for obtaining a strong and realistic notion of function privacy. Loosely speaking, our framework requires that a decryption key corresponding to an identity sampled from any sufficiently unpredictable distribution is indistinguishable from a decryption key corresponding to an independently and uniformly sampled identity. Within our framework we develop an approach for designing functionprivate identitybased encryption schemes, leading to constructions that are based on standard assumptions in bilinear groups (DBDH, DLIN) and lattices (LWE). In addition to function privacy, our schemes are also anonymous, and thus yield the first publickey searchable encryption schemes that are provably
Attributebased functional encryption on lattices (Extended Abstract)
, 2012
"... We introduce a broad lattice manipulation technique for expressive cryptography, and use it to realize functional encryption for access structures from postquantum hardness assumptions. Speci cally, we build an e cient keypolicy attributebased encryption scheme, and prove its security in the sele ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
We introduce a broad lattice manipulation technique for expressive cryptography, and use it to realize functional encryption for access structures from postquantum hardness assumptions. Speci cally, we build an e cient keypolicy attributebased encryption scheme, and prove its security in the selective sense from learningwitherrors intractability in the standard model.
SemanticallySecure Functional Encryption: Possibility Results, Impossibility Results and the Quest for a General Definition
, 2012
"... This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones. To fill this gap and move us closer to the (laudable) goal of a general and achievable notion of FE security, we seek and provide two “sans SOAK ” definitions of FE security that we call SS2 and SS3. We prove various possibility results about these definitions. We view our work as a first step towards the challenging goal of a general, meaningful and achievable notion of FE security. 1
Functional Encryption: A New Vision for Public Key Cryptography
"... Encryption is a method for a user to securely share data over an insecure network or storage server. Before the advent of publickey cryptography, a widely held view was that for two users to communicate data confidentially they would need to first establish a mutually held secret key k. While this ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
Encryption is a method for a user to securely share data over an insecure network or storage server. Before the advent of publickey cryptography, a widely held view was that for two users to communicate data confidentially they would need to first establish a mutually held secret key k. While this might be acceptable for some small or tightly knit organizations, such a solution was clearly infeasible for larger networks such as today’s Internet. Over thirty years ago, Diffie and Hellman [DH76a, DH76b] put forth the concept of publickey cryptography, where two parties can securely communicate with each other without having a prior mutual secret, radically challenging the conventional wisdom of the time. Today public key encryption is an invaluable tool and its use is ubiquitous in securing web communication (e.g. HTTPS and SSH), voice traffic, and storage systems. However, there is an ingrained view that: