Results 1  10
of
21
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
On the Achievability of SimulationBased Security for Functional Encryption
"... Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general ci ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
(Show Context)
Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by CircuitFE) meeting indistinguishabilitybased security (INDsecurity) to a CircuitFE scheme meeting SIMsecurity, where: – In the random oracle model, the resulting scheme is secure for an unbounded number of encryption and key queries, which is the strongest security level one can ask for. – In the standard model, the resulting scheme is secure for a bounded number of encryption and nonadaptive key queries, but an unbounded number of adaptive key queries. This matches known impossibility results and improves upon Gorbunov et al. [CRYPTO’12] (which is only secure for nonadaptive key queries).
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
SemanticallySecure Functional Encryption: Possibility Results, Impossibility Results and the Quest for a General Definition
, 2012
"... This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones. To fill this gap and move us closer to the (laudable) goal of a general and achievable notion of FE security, we seek and provide two “sans SOAK ” definitions of FE security that we call SS2 and SS3. We prove various possibility results about these definitions. We view our work as a first step towards the challenging goal of a general, meaningful and achievable notion of FE security. 1
Fully secure and succinct attribute based encryption for circuits from multilinear maps. IACR Cryptology ePrint Archive
 In Proc. of CRYPTO, volume 3152 of LNCS
, 2004
"... We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in composite ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in compositeorder settings. The assumptions consist of the Subgroup Decision assumptions and two assumptions which are similar to Multilinear Decisional DiffieHellman assumption (but more complex) and are proved to hold in the generic graded encoding model. Both of our systems enjoy succinctness: key and ciphertext sizes are proportional to their corresponding circuit and input string sizes. Our ciphertextpolicy ABE for circuits is the first to achieve succinctness, and the first that can deal with unboundedsize circuits (even among selectively secure systems). We develop new techniques for proving coselective security of keypolicy ABE for circuits, which is the main ingredient for the dualsystem encryption framework that uses computational arguments for enforcing full security.
Simple Functional Encryption Schemes for Inner Products
"... Abstract. Functional encryption is a new paradigm in publickey encryption that allows users to finely control the amount of information that is revealed by a ciphertext to a given receiver. Recent papers have focused their attention on constructing schemes for general functionalities at expense of ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Functional encryption is a new paradigm in publickey encryption that allows users to finely control the amount of information that is revealed by a ciphertext to a given receiver. Recent papers have focused their attention on constructing schemes for general functionalities at expense of efficiency. Our goal, in this paper, is to construct functional encryption schemes for less general functionalities which are still expressive enough for practical scenarios. We propose a functional encryption scheme for the innerproduct functionality, meaning that decrypting an encrypted vector x with a key for a vector y will reveal only 〈x,y 〉 and nothing else, whose security is based on the DDH assumption. Despite the simplicity of this functionality, it is still useful in many contexts like descriptive statistics. In addition, we generalize our approach and present a generic scheme that can be instantiated, in addition, under the LWE assumption and offers various tradeoffs in terms of expressiveness and efficiency.
Succinct functional encryption and applications: Reusable garbled circuits and beyond
, 2013
"... Functional encryption is a powerful primitive: given an encryption Enc(x) of a value x and a secret key skf corresponding to a circuit f, it enables efficient computation of f(x) without revealing any additional information about x. Constructing functional encryption schemes with succinct ciphertext ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Functional encryption is a powerful primitive: given an encryption Enc(x) of a value x and a secret key skf corresponding to a circuit f, it enables efficient computation of f(x) without revealing any additional information about x. Constructing functional encryption schemes with succinct ciphertexts that guarantee security for even a single secret key (for a general function f) is an important open problem with far reaching applications, which this paper addresses. Our main result is a functional encryption scheme for any general function f of depth d, with succinct ciphertexts whose size grows with the depth d rather than the size of the circuit for f. We prove the security of our construction based on the intractability of the learning with error (LWE) problem. More generally, we show how to construct a functional encryption scheme from any publicindex predicate encryption scheme and fully homomorphic encryption scheme. Previously, the only known constructions of functional encryption were either for specific inner product predicates, or for a weak form of functional encryption where the ciphertext size grows with the size of the circuit for f. We demonstrate the power of this result, by using it to construct a reusable circuit garbling scheme with
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
"... We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is gen ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is generic in the sense that it can be applied to arbitrary predicates. On the other hand, it works only within the generic ABE framework recently proposed by Attrapadung (Eurocrypt’14), which provides a generic compiler that compiles a simple primitive called pair encodings into fully secure ABE. Inside this framework, Attrapadung proposed the first generic dual conversion that works only for subclass of encodings, namely, perfectly secure encodings. However, there are many predicates for which realizations of such encodings are not known, and hence the problems of constructing fully secure ABE for their dual predicates were left unsolved. In this paper, we revisit the dual conversion of Attrapadung, and show that, somewhat surprisingly, the very same conversion indeed also works for broader classes of encodings, namely, computationally secure encodings. Consequently, we thus solve the above open
Accumulating Automata and Cascaded Equations Automata⋆ for Communicationless Information Theoretically Secure MultiParty Computation (Preliminary Report)
"... Abstract. Information theoretically secure multiparty computation implies severe communication overhead among the computing participants, as there is a need to reduce the polynomial degree after each multiplication. In particular, when the input is (practically) unbounded, the number of multiplic ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Information theoretically secure multiparty computation implies severe communication overhead among the computing participants, as there is a need to reduce the polynomial degree after each multiplication. In particular, when the input is (practically) unbounded, the number of multiplications and therefore the communication bandwidth among the participants may be practically unbounded. In some scenarios the communication among the participants should better be avoided altogether, avoiding linkage among the secret share holders. For example, when processes in clouds operate over streaming secret shares without communicating with each other, they can actually hide their linkage and activity in the crowd. An adversary that is able to compromise processes in the cloud may need to capture and analyze a very large number of possible shares. Consider a dealer that wants to repeatedly compute functions on a long file with the assistance of m servers. The dealer does not wish to leak either the input file or the result of the computation to any of the servers. We investigate this setting given two constraints. The dealer is allowed to share each symbol of the input file among the servers and is allowed to halt the computation at any point. However, the dealer is otherwise stateless. Furthermore, each server is not allowed any communication beyond the shares of the inputs that it receives and the information it provides to the dealer during reconstruction.
BUILDING PRACTICAL SYSTEMS THAT COMPUTE ON ENCRYPTED DATA
, 2014
"... Theft of confidential data is prevalent. In most applications, confidential data is stored at servers. Thus, existing systems naturally try to prevent adversaries from compromising these servers. However, experience has shown that adversaries still find a way to break in and steal the data. This di ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Theft of confidential data is prevalent. In most applications, confidential data is stored at servers. Thus, existing systems naturally try to prevent adversaries from compromising these servers. However, experience has shown that adversaries still find a way to break in and steal the data. This dissertation shows how to protect data confidentiality even when attackers get access to all the data stored on servers. We achieve this protection through a new approach to building secure systems: building practical systems that compute on encrypted data, without access to the decryption key. In this setting, we designed and built a database system (CryptDB), a web application platform (Mylar), and two mobile systems, as well as developed new cryptographic schemes for them. We showed that these systems support a wide range of applications with low overhead. The work in this thesis has already had impact: Google uses CryptDB’s design for their new Encrypted BigQuery