Results 1  10
of
46
Attributebased encryption for circuits from multilinear maps. Cryptology ePrint Archive, Report 2013/128, 2013. http://eprint.iacr.org/. Oded Goldreich and
"... In this work, we provide the first construction of AttributeBased Encryption (ABE) for general circuits. Our construction is based on the existence of multilinear maps. We prove selective security of our scheme in the standard model under the natural multilinear generalization of the BDDH assumptio ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
In this work, we provide the first construction of AttributeBased Encryption (ABE) for general circuits. Our construction is based on the existence of multilinear maps. We prove selective security of our scheme in the standard model under the natural multilinear generalization of the BDDH assumption. Our scheme achieves both KeyPolicy and CiphertextPolicy variants of ABE. Our scheme and its proof of security directly translate to the recent multilinear map framework of Garg, Gentry, and Halevi. This paper subsumes the manuscript of Sahai and Waters [SW12].
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
Attributebased encryption for circuits
 In STOC
"... In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure aga ..."
Abstract

Cited by 42 (11 self)
 Add to MetaCart
In an attributebased encryption (ABE) scheme, a ciphertext is associated with an ℓbit public index ind and a message m, and a secret key is associated with a Boolean predicate P. The secret key allows to decrypt the ciphertext and learn m iff P (ind) = 1. Moreover, the scheme should be secure against collusions of users, namely, given secret keys for polynomially many predicates, an adversary learns nothing about the message if none of the secret keys can individually decrypt the ciphertext. We present attributebased encryption schemes for circuits of any arbitrary polynomial size, where the public parameters and the ciphertext grow linearly with the depth of the circuit. Our construction is secure under the standard learning with errors (LWE) assumption. Previous constructions of attributebased encryption were for Boolean formulas, captured by the complexity class NC1. In the course of our construction, we present a new framework for constructing ABE schemes. As a byproduct of our framework, we obtain ABE schemes for polynomialsize branching programs, corresponding to the complexity class LOGSPACE, under quantitatively better assumptions.
Witness encryption from instance independent assumptions
 In Advances in Cryptology CRYPTO
, 2014
"... Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as a means to encrypt to an instance, x, of an NP language and produce a ciphertext. In such a system, any decryptor that knows of a witness w that x is in the language can decrypt the ciphertext and learn the message. In addition to ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as a means to encrypt to an instance, x, of an NP language and produce a ciphertext. In such a system, any decryptor that knows of a witness w that x is in the language can decrypt the ciphertext and learn the message. In addition to proposing the concept, their work provided a candidate for a witness encryption scheme built using multilinear encodings. However, one significant limitation of the work is that the candidate had no proof of security (other than essentially assuming the scheme secure). In this work we provide a proof framework for proving witness encryption schemes secure under instance independent assumptions. At the highest level we introduce the abstraction of positional witness encryption which allows a proof reduction of a witness encryption scheme via a sequence of 2n hybrid experiments where n is the witness length of the NPstatement. Each hybrid step proceeds by looking at a single witness candidate and using the fact that it does not satisfy the NPrelation to move the proof forward. We show that this “isolation strategy” enables one to create a witness encryption system that is provably secure from assumptions that are (maximally) independent of any particular encryption instance. We demonstrate the viability of our approach by implementing this strategy using level nlinear encodings where n is the witness length. Our complexity assumption has ≈ n group elements, but does not otherwise depend on the NPinstance x. 1
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
How to Run Turing Machines on Encrypted Data
"... Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphi ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphic encryption, functional encryption, and garbling schemes work by modeling algorithms as circuits rather than as Turing machines. As a consequence of this modeling, evaluating an algorithm over encrypted data is as slow as the worstcase running time of that algorithm, a dire fact for many tasks. In addition, in settings where an evaluator needs a description of the algorithm itself in some “encoded ” form, the cost of computing and communicating such encoding is as large as the worstcase running time of this algorithm. In this work, we construct cryptographic schemes for computing Turing machines on encrypted data that avoid the worstcase problem. Specifically, we show: – An attributebased encryption scheme for any polynomialtime Turing machine and Random Access Machine (RAM).
Dual system encryption via predicate encodings
 In TCC
, 2014
"... Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schem ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schemes for a large class of predicates. Our framework relies onWaters ’ dual system encryption methodology (Crypto ’09), and encompass the identitybased encryption scheme of Lewko and Waters (TCC ’10), and the attributebased encryption scheme of Lewko et al. (Eurocrypt ’10). In addition, we obtain several concrete improvements over prior works. Our work offers a novel interpretation of dual system encryption as a methodology for amplifying a onetime privatekey primitive (i.e. predicate encodings) into a manytime publickey primitive (i.e. predicate encryption).
Dynamic credentials and ciphertext delegation for attributebased encryption
 in Proceedings of the 32nd Annual International Cryptology Conference: Advances in Cryptology  CRYPTO’2012
, 2012
"... Motivated by the question of access control in cloud storage, we consider the problem using AttributeBased Encryption (ABE) in a setting where users ’ credentials may change and ciphertexts may be stored by a third party. We find that a comprehensive solution to our problem must simultaneously allo ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Motivated by the question of access control in cloud storage, we consider the problem using AttributeBased Encryption (ABE) in a setting where users ’ credentials may change and ciphertexts may be stored by a third party. We find that a comprehensive solution to our problem must simultaneously allow for the revocation of ABE private keys as well as allow for the ability to update ciphertexts to reflect the most recent updates. Our main result is obtained by pairing two contributions: • Revocable Storage. We ask how a third party can process a ciphertext to disqualify revoked users from accessing data that was encrypted in the past, while the user still had access. In applications, such storage may be with an untrusted entity and as such, we require that the ciphertext management operations can be done without access to any sensitive data (which rules out decryption and reencryption). We define the problem of revocable storage and provide a fully secure construction. Our core tool is a new procedure that we call ciphertext delegation. One can apply ciphertext delegation on a ciphertext encrypted under a certain access policy to ‘reencrypt ’ it to a more restrictive policy using only public
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
Algebraic (Trapdoor) OneWay Functions and their Applications
"... Abstract. In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of numbertheoretic oneway functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
Abstract. In this paper we introduce the notion of Algebraic (Trapdoor) One Way Functions, which, roughly speaking, captures and formalizes many of the properties of numbertheoretic oneway functions. Informally, a (trapdoor) one way function F: X → Y is said to be algebraic if X and Y are (finite) abelian cyclic groups, the function is homomorphic i.e. F (x) · F (y) = F (x · y), and is fieldhomomorphic, meaning that it is possible to compute linear operations “in the exponent ” over some field (which may be different from Zp where p is the order of the underlying group X) without knowing the bases. Moreover, algebraic OWFs must be strongly oneway in the sense that given y = F (x), it must be infeasible to compute (x ′ , d) such that F (x ′ ) = y d (for d ̸ = 0). Interestingly, algebraic one way functions can be constructed from a variety of standard number theoretic assumptions, such as RSA, Factoring and CDH over bilinear groups. As a second contribution of this paper, we show several applications where algebraic (trapdoor) OWFs turn out to be useful. In particular: – Publicly Verifiable Secure Outsourcing of Polynomials: We present efficient solutions which work for fields of arbitrary size and characteristic. When instantiating our protocol with the RSA/Factoring based algebraic OWFs we obtain the first solution which supports small field size, is efficient and