Results 1  10
of
27
PublicKey Cryptosystems Resilient to Key Leakage
"... Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidec ..."
Abstract

Cited by 89 (6 self)
 Add to MetaCart
(Show Context)
Most of the work in the analysis of cryptographic schemes is concentrated in abstract adversarial models that do not capture sidechannel attacks. Such attacks exploit various forms of unintended information leakage, which is inherent to almost all physical implementations. Inspired by recent sidechannel attacks, especially the “cold boot attacks ” of Halderman et al. (USENIX Security ’08), Akavia, Goldwasser and Vaikuntanathan (TCC ’09) formalized a realistic framework for modeling the security of encryption schemes against a wide class of sidechannel attacks in which adversarially chosen functions of the secret key are leaked. In the setting of publickey encryption, Akavia et al. showed that Regev’s latticebased scheme (STOC ’05) is resilient to any leakage of
Fully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages
 in Advances in Cryptology—CRYPTO 2011, Lect. Notes in Comp. Sci. 6841 (2011
"... Abstract. We present a somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security (quantumly) reduces to the worstcase hardness of problems on ideal lattices. We then transform it into a fully homomorphic encryption scheme using standard “squashing ” ..."
Abstract

Cited by 72 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present a somewhat homomorphic encryption scheme that is both very simple to describe and analyze, and whose security (quantumly) reduces to the worstcase hardness of problems on ideal lattices. We then transform it into a fully homomorphic encryption scheme using standard “squashing ” and “bootstrapping ” techniques introduced by Gentry (STOC 2009). One of the obstacles in going from “somewhat ” to full homomorphism is the requirement that the somewhat homomorphic scheme be circular secure, namely, the scheme can be used to securely encrypt its own secret key. For all known somewhat homomorphic encryption schemes, this requirement was not known to be achievable under any cryptographic assumption, and had to be explicitly assumed. We take a step forward towards removing this additional assumption by proving that our scheme is in fact secure when encrypting polynomial functions of the secret key. Our scheme is based on the ring learning with errors (RLWE) assumption that was recently introduced by Lyubashevsky, Peikert and Regev (Eurocrypt 2010). The RLWE assumption is reducible to worstcase problems on ideal lattices, and allows us to completely abstract out the lattice interpretation, resulting in an extremely simple scheme. For example, our secret key is s, and our public key is (a, b = as + 2e), where s, a, e are all degree (n − 1) integer polynomials whose coefficients are independently drawn from easy to sample distributions. 1
Foundations of Garbled Circuits
, 2012
"... Garbled circuits, a classical idea rooted in the work of Andrew Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provablesecurity treatment for garbling s ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
Garbled circuits, a classical idea rooted in the work of Andrew Yao, have long been understood as a cryptographic technique, not a cryptographic goal. Here we cull out a primitive corresponding to this technique. We call it a garbling scheme. We provide a provablesecurity treatment for garbling schemes, endowing them with a versatile syntax and multiple security definitions. The most basic of these, privacy, suffices for twoparty secure function evaluation (SFE) and private function evaluation (PFE). Starting from a PRF, we provide an efficient garbling scheme achieving privacy and we analyze its concrete security. We next consider obliviousness and authenticity, properties needed for private and verifiable outsourcing of computation. We extend our scheme to achieve these ends. We provide highly efficient blockcipherbased instantiations of both schemes. Our treatment of garbling schemes presages more efficient garbling, more rigorous analyses, and more
Computing blindfolded: New developments in fully homomorphic encryption
 in Foundations of Computer Science (FOCS), 2011 IEEE 52nd Annual Symposium on. IEEE, 2011
"... Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, t ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead. 1.
Encoding Functions with Constant Online Rate or How to Compress Garbled Circuits Keys
, 2013
"... Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding ˆ f of f in which most of the output can be precomputed and published before seeing the input x. When the input x is available, it remains to publish only a short string ˆx, where the online complexity of computing ˆx is independent of (and is typically much smaller than) the complexity of computing f. Yao’s garbled circuit construction gives rise to such randomized encodings in which the online part ˆx consists of n encryption keys of length κ each, where n = x  and κ is a security parameter. Thus, the online rate ˆx/x  of this encoding is proportional to the security parameter κ. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomialtime computable function f: {0, 1} n → {0, 1} m(n) with online rate of 1+o(1) and with nearly linear online computation. More concretely, the online part ˆx consists of an nbit string and a single encryption key. These constructions can be based on
On the circular security of bitencryption
 In TCC
, 2013
"... Motivated by recent developments in fully homomorphic encryption, we consider the folklore conjecture that every semanticallysecure bitencryption scheme is circular secure, or in other words, that every bitencryption scheme remains secure even when the adversary is given encryptions of the indivi ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Motivated by recent developments in fully homomorphic encryption, we consider the folklore conjecture that every semanticallysecure bitencryption scheme is circular secure, or in other words, that every bitencryption scheme remains secure even when the adversary is given encryptions of the individual bits of the privatekey. We show the following obstacles to proving this conjecture: 1. We construct a publickey bitencryption scheme that is plausibly semantically secure, but is not circular secure. The circular security attack manages to fully recover the privatekey. The construction is based on an extension of the Symmetric External DiffieHellman assumption (SXDH) from bilinear groups, to ℓmultilinear groups of order p where ℓ ≥ c · log p for some c> 1. While there do exist ℓmultilinear groups (unconditionally), for ℓ ≥ 3 there are no known candidates for which the SXDH problem is believed to be hard. Nevertheless, there is also no evidence that such groups do not exist. Our result shows that in order
Circular and KDM security for identitybased encryption
 In Public Key Cryptography
, 2012
"... We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the se ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
We initiate the study of security for keydependent messages (KDM), sometimes also known as “circular ” or “clique ” security, in the setting of identitybased encryption (IBE). Circular/KDM security requires that ciphertexts preserve secrecy even when they encrypt messages that may depend on the secret keys, and arises in natural usage scenarios for IBE. We construct an IBE system that is circular secure for affine functions of users ’ secret keys, based on the learning with errors (LWE) problem (and hence on worstcase lattice problems). The scheme is secure in the standard model, under a natural extension of a selectiveidentity attack. Our three main technical contributions are (1) showing the circular/KDMsecurity of a “dual”style LWE publickey cryptosystem, (2) proving the hardness of a version of the “extended LWE ” problem due to O’Neill, Peikert and Waters (CRYPTO’11), and (3) building an IBE scheme around the dualstyle system using a novel latticebased “allbutd ” trapdoor function. 1
Efficient circuitsize independent public key encryption with KDM security
 IN EUROCRYPT
, 2011
"... Key Dependent Message (KDM) secure encryption is a new area which has attracted much research in recent years. Roughly speaking, a KDM secure scheme w.r.t. a function set F provides security even if one encrypts a key dependent message f(sk) for any f ∈ F. We present a construction of an efficient ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Key Dependent Message (KDM) secure encryption is a new area which has attracted much research in recent years. Roughly speaking, a KDM secure scheme w.r.t. a function set F provides security even if one encrypts a key dependent message f(sk) for any f ∈ F. We present a construction of an efficient public key encryption scheme which is KDM secure with respect to a large function set F. Our function set is a function computable by a polynomialsize Modular Arithmetic Circuit (MAC); we represent the set as Straight Line Programs computing multivariable polynomials (an extended scheme includes all rational functions whose denominator and numerator are functions as above). Unlike previous schemes, our scheme is what we call flexible: the size of the ciphertext depends on the degree bound for the polynomials, and beyond this all parameters of the scheme are completely independent of the size of the function or the number of secret keys (users). We note that although KDM security has practical applications, all previous works in the standard model are either inefficient feasibility results when dealing with general circuits function sets, or are for a small set of functions such as linear functions. Efficiency of our scheme is dramatically improved compared to the previous feasibility results.
How to garble arithmetic circuits
 In Symposium on Foundations of Computer Science (FOCS ’11
, 2011
"... Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
Yao’s garbled circuit construction transforms a boolean circuit C: {0, 1} n → {0, 1} m into a “garbled circuit ” Ĉ along with n pairs of kbit keys, one for each input bit, such that Ĉ together with the n keys corresponding to an input x reveal C(x) and no additional information about x. The garbled circuit construction is a central tool for constantround secure computation and has several other applications. Motivated by these applications, we suggest an efficient arithmetic variant of Yao’s original construction. Our construction transforms an arithmetic circuit C: Zn → Zm over integers from a bounded (but possibly exponential) range into a garbled circuit Ĉ along with n affine functions Li: Z → Zk such that Ĉ together with the n integer vectors Li(xi) reveal C(x) and no additional information about x. The security of our construction relies on the intractability of the learning with errors (LWE) problem. 1
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.