Results 1  10
of
13
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
How to Obfuscate Programs Directly
"... We propose a new way to obfuscate programs, using compositeorder multilinear maps. Our construction operates directly on straightline programs (arithmetic circuits), rather than converting them to matrix branching programs as in other known approaches. This yields considerable efficiency improveme ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
We propose a new way to obfuscate programs, using compositeorder multilinear maps. Our construction operates directly on straightline programs (arithmetic circuits), rather than converting them to matrix branching programs as in other known approaches. This yields considerable efficiency improvements. For an NC1 circuit of size s and depth d, with n inputs, we require only O(d2s2 + n2) multilinear map operations to evaluate the obfuscated circuit—as compared with other known approaches, for which the number of operations is exponential in d. We prove virtual blackbox (VBB) security for our construction in a generic model of multilinear maps of hidden composite order, extending previous models for the primeorder setting. Our scheme works either with “noisy ” multilinear maps, which can only evaluate expressions of degree λc for prespecified constant c; or with “clean ” multilinear maps, which can evaluate arbitrary expressions. The “noisy ” variant can be instantiated at present with the CoronLepointTibouchi scheme, while the existence of “clean ” maps is still unknown. With known “noisy ” maps, our new obfuscator applies only to NC1 circuits, requiring the additional assumption of FHE in order to bootstrap to P/poly (as in other obfuscation constructions). From “clean ” multilinear maps, on the other hand (whose existence is still open), we present the first approach that would achieve obfuscation for P/poly directly, without FHE. We also introduce the concept of succinct obfuscation, in which the obfuscation overhead size depends only on the length of the input and of the secret part of the circuit. Using our new techniques, along with the assumption that factoring is hard on average, we show that “clean ” multilinear maps imply succinct obfuscation for P/poly. For the first time, the only remaining obstacle to implementable obfuscation in practice is the noise growth in known, “noisy ” multilinear maps. Our results demonstrate that the question of “clean ” multilinear maps is not a technicality, but a central open problem.
Limits on the power of indistinguishability obfuscation and functional encryption
, 2015
"... Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a "central hub" for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, constr ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a "central hub" for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, constructions based on indistinguishability obfuscation almost always rely on nonblackbox techniques, and thus the extent to which it can be used as a building block has been completely unexplored so far. We present a framework for proving meaningful negative results on the power of indistinguishability obfuscation. By considering indistinguishability obfuscation for oracleaided circuits, we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, nonblackbox techniques such as the punctured programming approach of Sahai and Waters (STOC '14) and its variants, as well as subexponential security assumptions. Within our framework we prove the rst negative results on the power of indistinguishability obfuscation and of the tightly related notion of functional encryption. Our results are as follows:
Optimizing Obfuscation: Avoiding Barrington’s Theorem
"... In this work, we seek to optimize the efficiency of secure generalpurpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of general Boolean formulas – this corresponds to optimizing the “core obfuscator ” from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
In this work, we seek to optimize the efficiency of secure generalpurpose obfuscation schemes. We focus on the problem of optimizing the obfuscation of general Boolean formulas – this corresponds to optimizing the “core obfuscator ” from the work of Garg, Gentry, Halevi, Raykova, Sahai, and Waters (FOCS 2013), and all subsequent works constructing generalpurpose obfuscators. This core obfuscator builds upon approximate multilinear maps, where efficiency in proposed instantiations is closely tied to the maximum number of “levels ” of multilinearity required. The most efficient previous construction of a core obfuscator, due to Barak, Garg, Kalai, Paneth, and Sahai (Eurocrypt 2014), required the maximum number of levels of multilinearity to be Θ(`s3.64), where s is the size of the Boolean formula to be obfuscated, and ` is the number of input bits to the formula. In contrast, our construction only requires the maximum number of levels of multilinearity to be Θ(`s). This results in significant improvements in both the total size of the obfuscation, as well as the running time of evaluating an obfuscated formula. Our efficiency improvement is obtained by generalizing the class of branching programs that
Functional Encryption for Randomized Functionalities in the PrivateKey Setting from Minimal Assumptions
"... We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we obtain schemes for any family of randomized functionalities based on a variety of assumptions (including the LWE assumption, simple assumptions on multilinear maps, and even the existence of any oneway function) offering various tradeoffs between security and efficiency. Previously, Goyal, Jain, Koppula and Sahai [Cryptology ePrint Archive, 2013] constructed a publickey functional encryption scheme for any family of randomized functionalities based on indistinguishability obfuscation. One of the key insights underlying our work is that, in the privatekey setting, a sufficiently expressive functional encryption scheme may be appropriately utilized for implementing proof techniques that were so far implemented based on obfuscation assumptions (such as the punctured programming technique of Sahai and Waters [STOC 2014]). We view this as a contribution of independent interest that may be found useful in other settings as well.
N.: Selfbilinear map on unknown order groups from indistinguishability obfuscation and its applications
 In: Advances in Cryptology–CRYPTO 2014
, 2014
"... A selfbilinear map is a bilinear map where the domain and target groups are identical. In this paper, we introduce a selfbilinear map with auxiliary information which is a weaker variant of a selfbilinear map, construct it based on indistinguishability obfuscation and prove that a useful hardness ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A selfbilinear map is a bilinear map where the domain and target groups are identical. In this paper, we introduce a selfbilinear map with auxiliary information which is a weaker variant of a selfbilinear map, construct it based on indistinguishability obfuscation and prove that a useful hardness assumption holds with respect to our construction under the factoring assumption. From our construction, we obtain a multilinear map with interesting properties: the level of multilinearity is not bounded in the setup phase, and representations of group elements are compact, i.e., their size is independent of the level of multilinearity. This is the first construction of a multilinear map with these properties. Note, however, that to evaluate the multilinear map, auxiliary information is required. As applications of our multilinear map, we construct multiparty noninteractive keyexchange and distributed broadcast encryption schemes where the maximum number of users is not fixed in the setup phase. Besides direct applications of our selfbilinear map, we show that our technique can also be used for constructing somewhat homomorphic encryption based on indistinguishability obfuscation and the Φhiding assumption.
NonInteractive Secure Multiparty Computation∗
, 2014
"... We introduce and study the notion of noninteractive secure multiparty computation (NIMPC). An NIMPC protocol for a function f(x1,..., xn) is specified by a joint probability distribution R = (R1,..., Rn) and local encoding functions Enci(xi, Ri), 1 ≤ i ≤ n. Given correlated randomness (R1,..., Rn) ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
We introduce and study the notion of noninteractive secure multiparty computation (NIMPC). An NIMPC protocol for a function f(x1,..., xn) is specified by a joint probability distribution R = (R1,..., Rn) and local encoding functions Enci(xi, Ri), 1 ≤ i ≤ n. Given correlated randomness (R1,..., Rn) ∈R R, each party Pi, using its input xi and its randomness Ri, computes the message mi = Enci(xi, Ri). The messagesm1,...,mn can be used to decode f(x1,..., xn). For a set T ⊆ [n], the protocol is said to be Trobust if revealing the messages (Enci(xi, Ri))i 6∈T together with the randomness (Ri)i∈T gives the same information about (xi)i 6∈T as an oracle access to the function f restricted to these input values. Namely, a coalition T can learn no more than the restriction of f fixing the inputs of uncorrupted parties, which, in this noninteractive setting, one cannot hope to hide. For 0 ≤ t ≤ n, the protocol is trobust if it is Trobust for every T of size at most t and it is fully robust if it is nrobust. A 0robust NIMPC protocol for f coincides with a protocol in the private simultaneous messages model of Feige et al. (STOC 1994). In the setting of computational (indistinguishabilitybased) security, fully robust NIMPC is implied by multiinput functional encryption, a notion that was recently introduced by Goldwasser et al. (Euro
Revocation in Publicly Verifiable Outsourced Computation
"... Abstract. The combination of softwareasaservice and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The combination of softwareasaservice and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result. In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value. We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon KeyPolicy Attributebased Encryption.
On Constructing OneWay Permutations from Indistinguishability
"... We prove that there is no blackbox construction of a oneway permutation family from a oneway function and an indistinguishability obfuscator for the class of all oracleaided circuits, where the construction is “domain invariant ” (i.e., where each permutation may have its own domain, but these d ..."
Abstract
 Add to MetaCart
We prove that there is no blackbox construction of a oneway permutation family from a oneway function and an indistinguishability obfuscator for the class of all oracleaided circuits, where the construction is “domain invariant ” (i.e., where each permutation may have its own domain, but these domains are independent of the underlying building blocks). Following the framework of Asharov and Segev (FOCS ’15), by considering indistinguishability obfuscation for oracleaided circuits we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, nonblackbox techniques such as the punctured programming approach of Sahai and Waters (STOC ’14) and its variants, as well as subexponential security assumptions. For example, we fully capture the construction of a trapdoor permutation family from a oneway function and an indistinguishability obfuscator due to Bitansky, Paneth and Wichs (TCC ’16). Their construction is not domain invariant and our result shows that this, somewhat undesirable property, is unavoidable using the common techniques. In fact, we observe that constructions which are not domain invariant circumvent all known
hulman.edu
"... Orderpreserving encryption (OPE) schemes, whose ciphertexts preserve the natural ordering of the plaintexts, allow efficient range query processing over outsourced encrypted databases without giving the server access to the decryption key. Such schemes have recently received increased interest in ..."
Abstract
 Add to MetaCart
Orderpreserving encryption (OPE) schemes, whose ciphertexts preserve the natural ordering of the plaintexts, allow efficient range query processing over outsourced encrypted databases without giving the server access to the decryption key. Such schemes have recently received increased interest in both the database and the cryptographic communities. In particular, modular orderpreserving encryption (MOPE), due to Boldyreva et al. [8], is a promising extension that increases the security of the basic OPE by introducing a secret modular offset to each data value prior to encrypting it. However, executing range queries via MOPE in a näıve way allows the adversary to learn this offset, negating any potential security gains of this approach. In this paper, we systematically address this vulnerability and show that MOPE can be used to build a practical system for executing range queries on encrypted data while providing a significant security improvement over the basic OPE. We introduce two new query execution algorithms for MOPE: our first algorithm is efficient if the user’s query distribution is wellspread, while the second scheme is efficient even for skewed query distributions. Interestingly, our second algorithm achieves this efficiency by leaking the leastimportant bits of the data, whereas OPE is known to leak the mostimportant bits of the data. We also show that our algorithms can be extended to the case where the query distribution is adaptively learned online. We present new, appropriate security models for MOPE and use them to rigorously analyze the security of our proposed schemes. Finally, we design a system prototype that integrates our schemes on top of an existing database system and apply query optimization methods to execute SQL queries with range predicates efficiently. We provide a performance evaluation of our prototype under a number of different database and query distributions, using both synthetic and real datasets.