Results 1 
8 of
8
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secretkey size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a keyhomomorphic symmetric cipher which plays a crucial role in the proof of security.
On the existence of extractable oneway functions
, 2014
"... A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. How ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a nonstandard knowledge assumption on certain functions. We make two headways in the study of the existence of extractable oneway functions (EOWFs). On the negative side, we show that if there exist indistinguishability obfuscators for a certain class of circuits then there do not exist EOWFs where extraction works for any adversarial program with auxiliaryinput of unbounded polynomial length. On the positive side, for adversarial programs with bounded auxiliaryinput (and unbounded polynomial running time), we give the first construction of EOWFs with an explicit extraction procedure, based on relatively standard assumptions (e.g., subexponential hardness of Learning with Errors). We then use these functions to construct the first 2message zeroknowledge arguments and 3message zeroknowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the
Fully secure constrained pseudorandom functions using random oracles
 IACR Cryptology ePrint Archive
"... A constrained pseudorandom function (CPRF) PRF allows to derive constrained evaluation keys that only allow to evaluate PRF on a subset of inputs. CPRFs have only recently been introduced independently by three groups of researchers. However, somewhat curiously, all of them could only achieve a comp ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
A constrained pseudorandom function (CPRF) PRF allows to derive constrained evaluation keys that only allow to evaluate PRF on a subset of inputs. CPRFs have only recently been introduced independently by three groups of researchers. However, somewhat curiously, all of them could only achieve a comparatively weak, selectivechallenge form of security (except for small input spaces, very limited forms of constrained keys, or with superpolynomial security reductions). In this paper, we construct the first fully secure CPRF without any of the above restrictions. Concretely, we support “bitfixing ” constrained keys that hardwire an arbitrary subset of the input bits to fixed values, we support exponentially large input spaces, and our security reduction is polynomial. We require very heavyweight tools: we assume multilinear maps, indistinguishability obfuscation, and our proof is in the random oracle model. Still, our analysis is far from tautological, and even with these strong building blocks, we need to develop additional techniques and tools. As a simple application, we obtain the first adaptively secure noninteractive key exchange protocols for large user groups.
Obfuscation ⇒ (INDCPA Security ⇒ Circular Security)
, 2013
"... Abstract Circular security is an important notion for publickey encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint ” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2),..., Epkn(sk1)). A natural question i ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract Circular security is an important notion for publickey encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint ” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2),..., Epkn(sk1)). A natural question is whether every INDCPA encryption scheme is also circular secure. It is trivial to see that this is not the case when n = 1. In 2010 a separation for n = 2 was shown by [ABBC10,GH10] under standard assumptions in bilinear groups. In this paper we finally settle the question showing that for every n there exist an INDCPA secure scheme which is not ncircular secure. Our result relies on the recent progress in program obfuscation. 1
Obfuscationbased Nonblackbox Simulation and Four Message Concurrent Zero Knowledge for NP
, 2013
"... As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, th ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, then there exists a four message, fully concurrent zeroknowledge proof system for all languages inNP with negligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an explicit simulator that is “straight line” and runs in strict polynomial time. Our reduction relies on a new nonblackbox simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryptographic assumptions such as collisionresistant hash functions. The round complexity of our protocol also sheds new light on the exact round complexity of concurrent zeroknowledge. It shows, for the first time, that in the realm of nonblackbox simulation, concurrent zeroknowledge may not necessarily require more rounds than stand alone zeroknowledge!
Applicability of Indistinguishability Obfuscation Seminar report for Research Seminar in Cryptography
"... ..."
(Show Context)
On Generic Constructions of CircularlySecure, LeakageResilient PublicKey Encryption Schemes
"... Abstract. We propose generic constructions of publickey encryption schemes, satisfying keydependent message (KDM) security for projections and different forms of keyleakage resilience, from CPAsecure private key encryption schemes with two main abstract properties: (1) additive homomorphism with ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We propose generic constructions of publickey encryption schemes, satisfying keydependent message (KDM) security for projections and different forms of keyleakage resilience, from CPAsecure private key encryption schemes with two main abstract properties: (1) additive homomorphism with respect to both messages and randomness, and (2) reproducibility, providing a means for reusing encryption randomness across independent secret keys. More precisely, our construction transforms a privatekey scheme with the stated properties (and one more mild condition) into a publickey one, providing: – nKDMprojection security, an extension of circular security, where the adversary may also ask for encryptions of negated secret key bits; – a (1 − o(1)) resilience rate in the boundedmemory leakage model of Akavia et al. (TCC 2009); and – Auxiliaryinput security against subexponentiallyhard functions. We introduce homomorphic weak pseudorandom functions, a homomorphic version of the weak PRFs proposed by Naor and Reingold (FOCS ’95) and use them to realize our base encryption scheme. We obtain homomorphic weak PRFs under assumptions including subgroup indistinguishability (implied, in particular, by QR and DCR) and homomorphic hashproof systems (HHPS). As corollaries of our results, we obtain (1) a projectionsecure encryption scheme (as well as a scheme with a (1−o(1)) resilience rate) based solely on the HHPS assumption, and (2) a unifying approach explaining the results of Boneh et al (CRYPTO ’08) and Brakerski and Goldwasser (CRYPTO ’10). Finally, by observing that Applebaum’s KDM amplification method (EUROCRYPT ’11) preserves both types of leakage resilience, we obtain schemes providing at the same time high leakage resilience and KDM security against any fixed polynomialsized circuit family. 1
New Circular Security Counterexamples from Decision Linear and Learning with Errors
, 2015
"... We investigate new constructions of ncircular counterexamples with a focus on the case of n = 2. We have a particular interest in what qualities a cryptosystem must have to be able to separate such circular security from INDCPA or INDCCA security. To start, we ask whether there is something speci ..."
Abstract
 Add to MetaCart
We investigate new constructions of ncircular counterexamples with a focus on the case of n = 2. We have a particular interest in what qualities a cryptosystem must have to be able to separate such circular security from INDCPA or INDCCA security. To start, we ask whether there is something special about the asymmetry in bilinear groups that is inherent in the works of [1] and [17] or whether it is actually the bilinearity that matters. As a further question, we explore whether such counterexamples are derivable from other assumptions such as the Learning with Errors (LWE) problem. If it were difficult to find such counterexamples, this might bolster our confidence in using 2circular encryption as a method of bootstrapping Fully Homomorphic Encryption systems that are based on lattice assumptions. The results of this paper broadly expand the class of assumptions under which we can build 2circular counterexamples. We first show for any constant k ≥ 2 how to build counterexamples from a bilinear group under the decision klinear assumption. Recall that the decision klinear assumption becomes progressively weaker as k becomes larger. This means that we can instantiate counterexamples from symmetric bilinear groups and shows that asymmetric groups do not have any inherently special property needed for this problem. We then show how to create 2circular counterexamples from the Learning with Errors problem. This extends the reach of these systems beyond bilinear groups and obfuscation. 1