Results 1 -
8 of
8
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty non-interactive key exchange ..."
Abstract
-
Cited by 33 (7 self)
- Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty non-interactive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secret-key size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a key-homomorphic symmetric cipher which plays a crucial role in the proof of security.
On the existence of extractable one-way functions
, 2014
"... A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. How ..."
Abstract
-
Cited by 14 (3 self)
- Add to MetaCart
A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as one-wayness or collision-resistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a non-standard knowledge assumption on certain functions. We make two headways in the study of the existence of extractable one-way functions (EOWFs). On the negative side, we show that if there exist indistinguishability obfuscators for a certain class of circuits then there do not exist EOWFs where extraction works for any adversarial program with auxiliary-input of unbounded polynomial length. On the positive side, for adversarial programs with bounded auxiliary-input (and unbounded polynomial running time), we give the first construction of EOWFs with an explicit extraction procedure, based on relatively standard assumptions (e.g., sub-exponential hardness of Learning with Errors). We then use these functions to construct the first 2-message zero-knowledge arguments and 3-message zeroknowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the
Fully secure constrained pseudorandom functions using random oracles
- IACR Cryptology ePrint Archive
"... A constrained pseudorandom function (CPRF) PRF allows to derive constrained evaluation keys that only allow to evaluate PRF on a subset of inputs. CPRFs have only recently been introduced independently by three groups of researchers. However, somewhat curiously, all of them could only achieve a comp ..."
Abstract
-
Cited by 6 (2 self)
- Add to MetaCart
A constrained pseudorandom function (CPRF) PRF allows to derive constrained evaluation keys that only allow to evaluate PRF on a subset of inputs. CPRFs have only recently been introduced independently by three groups of researchers. However, somewhat curiously, all of them could only achieve a comparatively weak, selective-challenge form of security (except for small input spaces, very limited forms of constrained keys, or with superpolynomial security reductions). In this paper, we construct the first fully secure CPRF without any of the above restrictions. Concretely, we support “bit-fixing ” constrained keys that hardwire an arbitrary subset of the in-put bits to fixed values, we support exponentially large input spaces, and our security reduction is polynomial. We require very heavyweight tools: we assume multilinear maps, indistinguisha-bility obfuscation, and our proof is in the random oracle model. Still, our analysis is far from tautological, and even with these strong building blocks, we need to develop additional techniques and tools. As a simple application, we obtain the first adaptively secure non-interactive key exchange protocols for large user groups.
Obfuscation ⇒ (IND-CPA Security ⇒ Circular Security)
, 2013
"... Abstract Circular security is an important notion for public-key encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint ” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2),..., Epkn(sk1)). A natural question i ..."
Abstract
-
Cited by 4 (0 self)
- Add to MetaCart
(Show Context)
Abstract Circular security is an important notion for public-key encryption schemes and is needed by several cryptographic protocols. In circular security the adversary is given an extra “hint ” consisting of a cycle of encryption of secret keys i.e., (Epk1(sk2),..., Epkn(sk1)). A natural question is whether every IND-CPA encryption scheme is also circular secure. It is trivial to see that this is not the case when n = 1. In 2010 a separation for n = 2 was shown by [ABBC10,GH10] under standard assumptions in bilinear groups. In this paper we finally settle the question showing that for every n there exist an IND-CPA secure scheme which is not n-circular secure. Our result relies on the recent progress in program obfuscation. 1
Obfuscation-based Non-black-box Simulation and Four Message Concurrent Zero Knowledge for NP
, 2013
"... As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, th ..."
Abstract
-
Cited by 4 (2 self)
- Add to MetaCart
As recent studies show, the notions of program obfuscation and zero knowledge are intimately connected. In this work, we explore this connection further, and prove the following general result. If there exists differing input obfuscation (diO) for the class of all polynomial time Turing machines, then there exists a four message, fully concurrent zero-knowledge proof system for all languages inNP with neg-ligible soundness error. This result is constructive: given diO, our reduction yields an explicit protocol along with an explicit simulator that is “straight line” and runs in strict polynomial time. Our reduction relies on a new non-black-box simulation technique which does not use the PCP theorem. In addition to assuming diO, our reduction also assumes (standard and polynomial time) cryp-tographic assumptions such as collision-resistant hash functions. The round complexity of our protocol also sheds new light on the exact round complexity of concurrent zero-knowledge. It shows, for the first time, that in the realm of non-black-box simulation, concurrent zero-knowledge may not necessarily require more rounds than stand alone zero-knowledge!
Applicability of Indistinguishability Obfuscation Seminar report for Research Seminar in Cryptography
"... ..."
(Show Context)
On Generic Constructions of Circularly-Secure, Leakage-Resilient Public-Key Encryption Schemes
"... Abstract. We propose generic constructions of public-key encryption schemes, satisfying key-dependent message (KDM) security for projections and different forms of key-leakage resilience, from CPA-secure private key encryption schemes with two main abstract properties: (1) additive homomorphism with ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. We propose generic constructions of public-key encryption schemes, satisfying key-dependent message (KDM) security for projections and different forms of key-leakage resilience, from CPA-secure private key encryption schemes with two main abstract properties: (1) additive homomorphism with respect to both messages and randomness, and (2) reproducibility, providing a means for reusing encryption randomness across independent secret keys. More precisely, our con-struction transforms a private-key scheme with the stated properties (and one more mild condition) into a public-key one, providing: – n-KDM-projection security, an extension of circular security, where the adversary may also ask for encryptions of negated secret key bits; – a (1 − o(1)) resilience rate in the bounded-memory leakage model of Akavia et al. (TCC 2009); and – Auxiliary-input security against subexponentially-hard functions. We introduce homomorphic weak pseudorandom functions, a homomorphic version of the weak PRFs proposed by Naor and Reingold (FOCS ’95) and use them to realize our base encryption scheme. We obtain homomorphic weak PRFs under assumptions including subgroup indistinguisha-bility (implied, in particular, by QR and DCR) and homomorphic hash-proof systems (HHPS). As corollaries of our results, we obtain (1) a projection-secure encryption scheme (as well as a scheme with a (1−o(1)) resilience rate) based solely on the HHPS assumption, and (2) a unifying approach explaining the results of Boneh et al (CRYPTO ’08) and Brakerski and Goldwasser (CRYPTO ’10). Finally, by observing that Applebaum’s KDM amplification method (EUROCRYPT ’11) preserves both types of leakage resilience, we obtain schemes providing at the same time high leakage re-silience and KDM security against any fixed polynomial-sized circuit family. 1
New Circular Security Counterexamples from Decision Linear and Learning with Errors
, 2015
"... We investigate new constructions of n-circular counterexamples with a focus on the case of n = 2. We have a particular interest in what qualities a cryptosystem must have to be able to separate such circular security from IND-CPA or IND-CCA security. To start, we ask whether there is something speci ..."
Abstract
- Add to MetaCart
We investigate new constructions of n-circular counterexamples with a focus on the case of n = 2. We have a particular interest in what qualities a cryptosystem must have to be able to separate such circular security from IND-CPA or IND-CCA security. To start, we ask whether there is something special about the asymmetry in bilinear groups that is inherent in the works of [1] and [17] or whether it is actually the bilinearity that matters. As a further question, we explore whether such counterexamples are derivable from other assumptions such as the Learning with Errors (LWE) problem. If it were difficult to find such counterexamples, this might bolster our confidence in using 2-circular encryption as a method of bootstrapping Fully Homomorphic Encryption systems that are based on lattice assumptions. The results of this paper broadly expand the class of assumptions under which we can build 2-circular counterexamples. We first show for any constant k ≥ 2 how to build counterexamples from a bilinear group under the decision k-linear assumption. Recall that the decision k-linear assumption becomes progressively weaker as k becomes larger. This means that we can instantiate counterexamples from symmetric bilinear groups and shows that asymmetric groups do not have any inherently special property needed for this problem. We then show how to create 2-circular counterexamples from the Learning with Errors problem. This extends the reach of these systems beyond bilinear groups and obfuscation. 1
