Results 1  10
of
12
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
"... Deciding “greaterthan” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guaran ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
Deciding “greaterthan” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guarantees. Twoinput functional encryption is another approach, but requires the full power of obfuscation machinery and is currently not implementable. We construct the first implementable encryption system supporting greaterthan comparisons on encrypted data that provides the “bestpossible ” semantic security. In our scheme there is a public algorithm that given two ciphertexts as input, reveals the order of the corresponding plaintexts and nothing else. Our constructions are inspired by obfuscation techniques, but do not use obfuscation. For example, to compare two 16bit encrypted values (e.g., salaries or age) we only need a 9way multilinear map. More generally, comparing kbit values requires only a (k/2 + 1)way multilinear map. The required degree of multilinearity can be further reduced, but at the cost of increasing ciphertext size. Beyond comparisons, our results give an implementable secretkey multiinput functional encryption scheme for functionalities that can be expressed as (generalized) branching programs of polynomial length and width. Comparisons are a special case of this class, where for kbit inputs the branching program is of length k + 1 and width 4.
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically
"... In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages th ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fullysecure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions). In this paper we show that any sufficiently expressive selectivelysecure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct blackbox transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying
Limits on the power of indistinguishability obfuscation and functional encryption
, 2015
"... Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a "central hub" for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, constr ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Recent breakthroughs in cryptography have positioned indistinguishability obfuscation as a "central hub" for almost all known cryptographic tasks, and as an extremely powerful building block for new cryptographic tasks resolving longstanding and foundational open problems. However, constructions based on indistinguishability obfuscation almost always rely on nonblackbox techniques, and thus the extent to which it can be used as a building block has been completely unexplored so far. We present a framework for proving meaningful negative results on the power of indistinguishability obfuscation. By considering indistinguishability obfuscation for oracleaided circuits, we capture the common techniques that have been used so far in constructions based on indistinguishability obfuscation. These include, in particular, nonblackbox techniques such as the punctured programming approach of Sahai and Waters (STOC '14) and its variants, as well as subexponential security assumptions. Within our framework we prove the rst negative results on the power of indistinguishability obfuscation and of the tightly related notion of functional encryption. Our results are as follows:
Indistinguishability Obfuscation from Compact Functional Encryption
"... The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In th ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In this work, we make progress in this direction by presenting a reduction from iO to a natural form of publickey functional encryption (FE). Specifically, we construct iO for general functions from any singlekey FE scheme for NC1 that achieves selective, indistinguishability security against subexponential time adversaries. Further, the FE scheme should be compact, namely, the running time of the encryption algorithm must only be a polynomial in the security parameter and the input message length (and not in the function description size or its output length). We achieve this result by developing a novel arity amplification technique to transform FE for singleary functions into FE for multiary functions (aka multiinput FE). Instantiating our approach with known, noncompact FE schemes, we obtain the first constructions of multiinput FE for constantary functions based on standard assumptions. Finally, as a result of independent interest, we construct a compact FE scheme from randomized encodings for Turing machines and learning with errors assumption.
Functional Encryption for Randomized Functionalities in the PrivateKey Setting from Minimal Assumptions
"... We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we obtain schemes for any family of randomized functionalities based on a variety of assumptions (including the LWE assumption, simple assumptions on multilinear maps, and even the existence of any oneway function) offering various tradeoffs between security and efficiency. Previously, Goyal, Jain, Koppula and Sahai [Cryptology ePrint Archive, 2013] constructed a publickey functional encryption scheme for any family of randomized functionalities based on indistinguishability obfuscation. One of the key insights underlying our work is that, in the privatekey setting, a sufficiently expressive functional encryption scheme may be appropriately utilized for implementing proof techniques that were so far implemented based on obfuscation assumptions (such as the punctured programming technique of Sahai and Waters [STOC 2014]). We view this as a contribution of independent interest that may be found useful in other settings as well.
OrderRevealing Encryption and the Hardness of Private Learning
, 2015
"... An orderrevealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use orderrevealing encryption to separate computationally efficient PAC learning from efficient (ε, δ)differentially private ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
An orderrevealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use orderrevealing encryption to separate computationally efficient PAC learning from efficient (ε, δ)differentially private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially private. This answers a question of Kasiviswanathan et al. (FOCS ’08, SIAM J. Comput. ’11). To prove our result, we give a generic transformation from an orderrevealing encryption scheme into one with strongly correct comparison, which enables the consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest.
Survey on Cryptographic Obfuscation
, 2015
"... The recent result of Garg et al. (FOCS 2013) changed the previously pessimistic attitude towards general purpose cryptographic obfuscation. Since their first candidate construction, several authors proposed newer and newer schemes with more persuasive security arguments and better efficiency. At th ..."
Abstract
 Add to MetaCart
The recent result of Garg et al. (FOCS 2013) changed the previously pessimistic attitude towards general purpose cryptographic obfuscation. Since their first candidate construction, several authors proposed newer and newer schemes with more persuasive security arguments and better efficiency. At the same time, indistinguishability obfuscation proved its extreme usefulness by becoming the basis of many solutions for longstanding open problems in cryptography e.g. functional or witness encryption and others. In this survey, we give an overview of recent research, focusing on the theoretical results on general purpose obfuscation, particularly, indistinguishability obfuscation.
Indistinguishability Obfuscation from Functional Encryption for Simple Functions
"... We show how to construct indistinguishability obfuscation (iO) for circuits from any noncompact functional encryption (FE) scheme with subexponential security against unbounded collusions. We accomplish this by giving a generic transformation from any such FE scheme into a compact FE scheme. By c ..."
Abstract
 Add to MetaCart
We show how to construct indistinguishability obfuscation (iO) for circuits from any noncompact functional encryption (FE) scheme with subexponential security against unbounded collusions. We accomplish this by giving a generic transformation from any such FE scheme into a compact FE scheme. By composing this with the transformation from subexponentially secure compact FE to iO (Ananth and Jain [CRYPTO’15], Bitansky and Vaikuntanathan [FOCS’15]), we obtain our main result. Our result provides a new pathway to iO. We use our technique to identify a simple function family for FE that suffices for our general result. We show that the function family Fsimple is complete, where every fsimple ∈ Fsimple consists of three evaluations of a Weak PRF followed by finite operations. We believe that this may be useful for realizing iO from weaker assumptions in the future.
Sanitizable Signcryption: Sanitization over Encrypted Data (Full Version)
"... We initiate the study of sanitizable signatures over encrypted data. While previous solutions for sanitizable signatures require the sanitizer to know, in clear, the original messagesignature pair in order to generate the new signature, we investigate the case where these data should be hidden fro ..."
Abstract
 Add to MetaCart
We initiate the study of sanitizable signatures over encrypted data. While previous solutions for sanitizable signatures require the sanitizer to know, in clear, the original messagesignature pair in order to generate the new signature, we investigate the case where these data should be hidden from the sanitizer and how this can be achieved with encryption. We call this primitive sanitizable signcryption, and argue that there are two options concerning what the sanitizer learns about the sanitized output: in semioblivious sanitizable signcryption schemes the sanitizer may get to know the sanitized messagesignature pair, while fully oblivious sanitizable signcryption schemes even protect the output data. Depending on the application, either notion may be preferable. We continue to show that semioblivious sanitizable signcryption schemes can be constructed in principle, using the power of multiinput functional encryption. To this end, we wrap a regular sanitizable signature scheme into a multiinput functional encryption scheme, such that functional decryption corresponds to the sanitization process. Remarkably, the multiinput functional encryption scheme cannot easily be transferred to a fully oblivious sanitizable signcryption version, so we give a restricted solution based on fully homomorphic encryption for this case. 1 1
FunctionHiding Inner Product Encryption
"... We extend the reach of functional encryption schemes that are provably secure under simple assumptions against unbounded collusion to include functionhiding inner product schemes. Our scheme is a private key functional encryption scheme, where ciphertexts correspond to vectors ~x, secret keys corre ..."
Abstract
 Add to MetaCart
(Show Context)
We extend the reach of functional encryption schemes that are provably secure under simple assumptions against unbounded collusion to include functionhiding inner product schemes. Our scheme is a private key functional encryption scheme, where ciphertexts correspond to vectors ~x, secret keys correspond to vectors ~y, and a decryptor learns 〈~x, ~y〉. Our scheme employs asymmetric bilinear maps and relies only on the SXDH assumption to satisfy a natural indistinguishabilitybased security notion where arbitrarily many key and ciphertext vectors can be simultaneously changed as long as the keyciphertext dot product relationships are all preserved. 1