Results 1  10
of
51
Constrained Pseudorandom Functions and Their Applications
"... We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master ke ..."
Abstract

Cited by 69 (11 self)
 Add to MetaCart
We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master key k. A constrained key ks enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that constrained PRFs can be used to construct powerful primitives such as identitybased key exchange and an optimal private broadcast encryption system. We then construct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.
Efficient Garbling from a FixedKey Blockcipher
, 2013
"... We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties have acce ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
We advocate schemes based on fixedkey AES as the best route to highly efficient circuitgarbling. We provide such schemes making only one AES call per garbledgate evaluation. On the theoretical side, we justify the security of these methods in the randompermutation model, where parties have access to a public random permutation. On the practical side, we provide the JustGarble system, which implements our schemes. JustGarble evaluates moderatesized garbledcircuits at an
How to Garble RAM Programs ∗
"... Assuming solely the existence of oneway functions, we show how to construct Garbled RAM Programs (GRAM) where its size only depends on fixed polynomial in the security parameter times the program running time. We stress that we avoid converting the RAM programs into circuits. As an example, our tec ..."
Abstract

Cited by 22 (2 self)
 Add to MetaCart
(Show Context)
Assuming solely the existence of oneway functions, we show how to construct Garbled RAM Programs (GRAM) where its size only depends on fixed polynomial in the security parameter times the program running time. We stress that we avoid converting the RAM programs into circuits. As an example, our techniques implies the first garbled binary search program (searching over sorted encrypted data stored in a cloud) which is polylogarithmic in the data size instead of linear. Our result requires the existence of oneway function and enjoys the same noninteractive properties as Yao’s original garbled circuits.
MiniLEGO: Efficient Secure TwoParty Computation From General Assumptions (Full Version)
"... Abstract One of the main tools to construct secure twoparty computation protocols are Yao garbled circuits. Using the cutandchoose technique, one can get reasonably efficient Yaobased protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi [NO09] suggested to appl ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract One of the main tools to construct secure twoparty computation protocols are Yao garbled circuits. Using the cutandchoose technique, one can get reasonably efficient Yaobased protocols with security against malicious adversaries. At TCC 2009, Nielsen and Orlandi [NO09] suggested to apply cutandchoose at the gate level, while previously cutandchoose was applied on the circuit as a whole. This appealing idea allows for a speed up with practical significance (in the order of the logarithm of the size of the circuit) and has become known as the “LEGO ” construction. Unfortunately the construction in [NO09] is based on a specific numbertheoretic assumption and requires publickey operations per gate of the circuit. The main technical contribution of this work is a new XORhomomorphic commitment scheme based on oblivious transfer, that we use to cope with the problem of connecting the gates in the LEGO construction. Our new protocol has the following advantages: 1. It maintains the efficiency of the LEGO cutandchoose. 2. After a number of seed oblivious transfers linear in the security parameter, the construction uses only primitives from Minicrypt (i.e., privatekey cryptography) per gate in the circuit (hence the name MiniLEGO).
ZeroKnowledge Using Garbled Circuits or How To Prove NonAlgebraic Statements Efficiently
"... Abstract. Zeroknowledge protocols are one of the fundamental concepts in modern cryptography and have countless applications. However, after more than 30 years from their introduction, there are only very few languages (essentially those with a group structure) for which we can construct zeroknowl ..."
Abstract

Cited by 11 (3 self)
 Add to MetaCart
Abstract. Zeroknowledge protocols are one of the fundamental concepts in modern cryptography and have countless applications. However, after more than 30 years from their introduction, there are only very few languages (essentially those with a group structure) for which we can construct zeroknowledge protocols that are efficient enough to be used in practice. In this paper we address the problem of how to construct efficient zeroknowledge protocols for generic languages and we propose a protocol based on Yao’s garbled circuit technique. The motivation for our work is that in many cryptographic applications it is useful to be able to prove efficiently statements of the form e.g., “I know x s.t. y = SHA256(x) ” for a common input y (or other “unstructured ” languages), but no efficient protocols for this task are currently known. It is clear that zeroknowledge is a subset of secure twoparty computation (i.e., any protocol for generic secure computation can be used to do zeroknowledge). The main contribution of this paper is to construct an efficient protocol for the special case of secure twoparty computation where only one party has input (like in the zeroknowledge case). The protocol achieves active security and is essentially only twice as slow as Yao’s garbled circuit protocol. This is a great improvement with respect to the cutnchoose technique to make Yao’s protocol actively secure, where the complexity grows linearly
MultiClient NonInteractive Verifiable Computation
"... Abstract. Gennaro et al. (Crypto 2010) introduced the notion of noninteractive verifiable computation, which allows a computationally weak client to outsource the computation of a function f on a series of inputs x (1) ,... to a more powerful but untrusted server. Following a preprocessing phase (th ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Gennaro et al. (Crypto 2010) introduced the notion of noninteractive verifiable computation, which allows a computationally weak client to outsource the computation of a function f on a series of inputs x (1) ,... to a more powerful but untrusted server. Following a preprocessing phase (that is carried out only once), the client sends some representation of its current input x (i) to the server; the server returns an answer that allows the client to recover the correct result f(x (i)), accompanied by a proof of correctness that ensures the client does not accept an incorrect result. The crucial property is that the work done by the client in preparing its input and verifying the server’s proof is less than the time required for the client to compute f on its own. We extend this notion to the multiclient setting, where n computationally weak clients wish to outsource to an untrusted server the computation of a function f over a series of joint inputs (x (1) 1,..., x(1) n),... without interacting with each other. We present a construction for this setting by combining the scheme of Gennaro et al. with a primitive called proxy oblivious transfer. 1
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
Noninteractive secure computation based on cutandchoose
 EUROCRYPT 2014, volume 8441 of LNCS
, 2014
"... Abstract. In recent years, secure twoparty computation (2PC) has been demonstrated to be feasible in practice. However, all efficient generalcomputation 2PC protocols require multiple rounds of interaction between the two players. This property restricts 2PC to be only relevant to scenarios where ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Abstract. In recent years, secure twoparty computation (2PC) has been demonstrated to be feasible in practice. However, all efficient generalcomputation 2PC protocols require multiple rounds of interaction between the two players. This property restricts 2PC to be only relevant to scenarios where both players can be simultaneously online, and where communication latency is not an issue. This work considers the model of 2PC with a single round of interaction, called NonInteractive Secure Computation (NISC). In addition to the noninteraction property, we also consider a flavor of NISC that allows reusing the first message for many different 2PC invocations, possibly with different players acting as the player who sends the second message, similar to a publickey encryption where a single publickey can be used to encrypt many different messages. We present a NISC protocol that is based on the cutandchoose paradigm of Lindell and Pinkas (Eurocrypt 2007). This protocol achieves concrete efficiency similar to that of best multiround 2PC protocols based on the cutandchoose paradigm. The protocol requires only t garbled circuits for achieving cheating probability of 2−t, similar to the recent result of Lindell (Crypto 2013), but only needs a single round of interaction. To validate the efficiency of our protocol, we provide a prototype implementation of it and show experiments that confirm its competitiveness with that of the best multiround 2PC protocols. This is the first prototype implementation of an efficient NISC protocol. In addition to our NISC protocol, we introduce a new encoding technique that significantly reduces communication in the NISC setting. We further show how our NISC protocol can be improved in the multiround setting, resulting in a highly efficient constantround 2PC that is also suitable for pipelined implementation. 1
Garbling XOR Gates “For Free” in the Standard Model
"... Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of t ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Yao’s garbled circuit (GC) technique is a powerful cryptographic tool which allows to “encrypt” a circuit C by another circuit Ĉ in a way that hides all information except for the final output. Yao’s original construction incurs a constant overhead in both computation and communication per gate of the circuit C (proportional to the complexity of symmetric encryption). Kolesnikov and Schneider (ICALP 2008) introduced an optimized variant that garbles XOR gates “for free ” in a way that involves no cryptographic operations and no communication. This variant has become very popular and has lead to notable performance improvements. The security of the freeXOR optimization was originally proved in the random oracle model. Despite some partial progress (Choi et al., TCC 2012), the question of replacing the random oracle with a standard cryptographic assumption has remained open. We resolve this question by showing that the freeXOR approach can be realized in the standard model under the learning parity with noise (LPN) assumption. Our result is obtained in two steps: 1. We show that the random oracle can be replaced with a symmetric encryption which remains secure under a combined form of relatedkey (RK) and keydependent message (KDM) attacks; 2. We show that such a symmetric encryption can be constructed based on the LPN assumption. As an additional contribution, we prove that the combination of RK and KDM security is nontrivial in the following sense: There exists an encryption scheme which achieves RK security and KDM security separately, but breaks completely at the presence of combined RKKDM attacks.