Results 1  10
of
18
Outsourcing Private RAM Computation
, 2014
"... We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proporti ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We construct the first schemes that allow a client to privately outsource arbitrary program executions to a remote server while ensuring that: (I) the client’s work is small and essentially independent of the complexity of the computation being outsourced, and (II) the server’s work is only proportional to the runtime of the computation on a random access machine (RAM), rather than its potentially much larger circuit size. Furthermore, our solutions are noninteractive and have the structure of reusable garbled RAM programs, addressing an open question of Lu and Ostrovsky (Eurocrypt 2013). We also construct schemes for an augmented variant of the above scenario, where the client can initially outsource a large private and persistent database to the server, and later outsource arbitrary program executions with read/write access to this database. Our solutions are built from nonreusable garbled RAM in conjunction with new types of reusable garbled circuits that are more efficient than prior solutions but only satisfy weaker security. For the basic setting without a persistent database, we can instantiate the required type of reusable garbled circuits from indistinguishability obfuscation or from functional encryption for circuits as a blackbox. For the more complex setting with a persistent database, we can instantiate the required type of reusable garbled circuits using stronger notions of obfuscation. It remains an open problem to instantiate these new types of reusable garbled circuits under weaker assumptions, possibly avoiding obfuscation altogether. We also give several extensions of our results and techniques to achieve: schemes with efficiency proportional to the inputspecific RAM runtime, verifiable outsourced RAM computation, functional encryption for RAMs, and a candidate obfuscator for RAMs. 1
Multiinput functional encryption
"... We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information fro ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information from several different data sources (rather than just a single source as in single input functional encryption). We show wide applications of this primitive to running SQL queries over encrypted database, noninteractive differentially private data release, delegation of computation, etc. We formulate both indistinguishabilitybased and simulationbased definitions of security for this notion, and show close connections with indistinguishability and virtual blackbox definitions of obfuscation. Assuming indistinguishability obfuscation for circuits, we present constructions achieving indistinguishability security for a large class of settings. We show how to modify this construction to achieve simulationbased security as well, in those settings where simulation security is possible. Assuming differinginputs obfuscation [Barak et al., FOCS’01], we also provide a construction with similar security guarantees as above, but where the keys and ciphertexts are compact.
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
"... Deciding “greaterthan ” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guara ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
Deciding “greaterthan ” relations among data items just given their encryptions is at the heart of search algorithms on encrypted data, most notably, noninteractive binary search on encrypted data. Orderpreserving encryption provides one solution, but provably provides only limited security guarantees. Twoinput functional encryption is another approach, but requires the full power of obfuscation machinery and is currently not implementable. We construct the first implementable encryption system supporting greaterthan comparisons on encrypted data that provides the “bestpossible ” semantic security. In our scheme there is a public algorithm that given two ciphertexts as input, reveals the order of the corresponding plaintexts and nothing else. Our constructions are inspired by obfuscation techniques, but do not use obfuscation. For example, to compare two 16bit encrypted values (e.g., salaries or age) we only need a 9way multilinear map. More generally, comparing kbit values requires only a (k/2 + 1)way multilinear map. The required degree of multilinearity can be further reduced, but at the cost of increasing ciphertext size. Beyond comparisons, our results give an implementable secretkey multiinput functional encryption scheme for functionalities that can be expressed as (generalized) branching programs of polynomial length and width. Comparisons are a special case of this class, where for kbit inputs the branching program is of length k + 1 and width 4. 1
On the Communication Complexity of Secure Function Evaluation with Long Output
"... We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encry ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encrypted database and we want Bob to learn the decrypted data without learning anything else about Alice’s key. In a trivial insecure protocol, Alice can just send her short input xA to Bob. However, all known SFE protocols have communication complexity that scales with size of the output y, which can potentially be much larger. Is such “outputsize dependence ” inherent in SFE? Surprisingly, we show that outputsize dependence can be avoided in the honestbutcurious setting. In particular, using indistinguishability obfuscation (iO) and fully homomorphic encryption (FHE), we construct the first honestbutcurious SFE protocol whose communication complexity only scales with that of the best insecure protocol for evaluating the desired function, independent of the output size. Our construction relies on a novel way of using iO via a new tool that we call a “somewhere statistically binding (SSB) hash”, and which may be of independent interest. On the negative side, we show that outputsize dependence is inherent in the fully malicious setting, or even already in an honestbutdeterministic setting, where the corrupted party follows the protocol as specified but fixes its random tape to some deterministic value. Moreover, we show that even in an offline/online protocol, the communication of the online phase must have outputsize dependence. This negative result uses an incompressibility argument and it generalizes several recent lower bounds for functional encryption and (reusable) garbled circuits, which follow as simple corollaries of our general theorem. 1
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically
"... In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages th ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fullysecure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions). In this paper we show that any sufficiently expressive selectivelysecure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct blackbox transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying
A Unified Approach to Idealized Model Separations via Indistinguishability
"... It is well known that the random oracle model is not sound in the sense that there exist cryptographic systems that are secure in the random oracle model but when instantiated by any family of hash functions become insecure. However, all known separation results require the attacker to send an appro ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
It is well known that the random oracle model is not sound in the sense that there exist cryptographic systems that are secure in the random oracle model but when instantiated by any family of hash functions become insecure. However, all known separation results require the attacker to send an appropriately crafted message to the challenger in order to break security. Thus, this leaves open the possibility that some cryptographic schemes, such as bitencryption, are still sound in the random oracle model. In this work we refute this possibility, assuming the existence of indistinguishability obfuscation. We do so in the following way. First, we present a random oracle separation for bitencryption; namely, we show that there exists a bitencryption protocol secure in the random oracle model but completely insecure when the random oracle is instantiated by any concrete function. Second, we show how to adapt this separation to work for most natural simulationbased and gamebased definitions. Our techniques can easily be adapted to other idealized models, and thus we present a unified approach to showing separations for most protocols of interest in most idealized models. 1
Functional Encryption for Randomized Functionalities in the PrivateKey Setting from Minimal Assumptions
"... We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we obtain schemes for any family of randomized functionalities based on a variety of assumptions (including the LWE assumption, simple assumptions on multilinear maps, and even the existence of any oneway function) offering various tradeoffs between security and efficiency. Previously, Goyal, Jain, Koppula and Sahai [Cryptology ePrint Archive, 2013] constructed a publickey functional encryption scheme for any family of randomized functionalities based on indistinguishability obfuscation. One of the key insights underlying our work is that, in the privatekey setting, a sufficiently expressive functional encryption scheme may be appropriately utilized for implementing proof techniques that were so far implemented based on obfuscation assumptions (such as the punctured programming technique of Sahai and Waters [STOC 2014]). We view this as a contribution of independent interest that may be found useful in other settings as well.
Succinct Garbling Schemes and Applications
, 2014
"... Assuming the existence of iO for P/poly and oneway functions, we show how to succinctly garble boundedspace computations (BSC) M: the size of the garbled program (as well as the time needed to generate the garbling) only depends on the size and space (including the input and output) complexity of ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Assuming the existence of iO for P/poly and oneway functions, we show how to succinctly garble boundedspace computations (BSC) M: the size of the garbled program (as well as the time needed to generate the garbling) only depends on the size and space (including the input and output) complexity of M, but not its running time. The key conceptual insight behind this construction is a method for using iO to “compress ” a computation that can be performed piecemeal, without revealing anything about it. As corollaries of our succinct garbling scheme, we demonstrate the following: • functional encryption for BSC from iO for P/poly and oneway functions; • reusable succinct garbling schemes for BSC from iO for P/poly and oneway functions; • succinct iO for BSC from subexponentiallysecure iO for P/poly and subexponentially secure oneway functions; • (Perfect NIZK) SNARGS for bounded space and witness NP from subexponentiallysecure iO for P/poly and subexponentiallysecure oneway functions. Previously such primitives were only know to exists based on “knowledgebased ” assumptions (such as SNARKs and/or differinginput obfuscation). We finally demonstrate the first (nonsuccinct) iO for RAM programs with bounded input and output lengths, that has polylogarithmic overhead, based on the existence of subexponentiallysecure iO for P/poly and subexponentiallysecure oneway functions.
Succinct Randomized Encodings and their Applications∗
, 2014
"... A randomized encoding allows to represent a “complex ” function f(x) by a “simpler ” randomized function f̂(x; r) whose output distribution encodes f(x), while revealing nothing else regarding x. Existing randomized encodings, geared mostly to allow encoding with low parallel complexity, have prove ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
A randomized encoding allows to represent a “complex ” function f(x) by a “simpler ” randomized function f̂(x; r) whose output distribution encodes f(x), while revealing nothing else regarding x. Existing randomized encodings, geared mostly to allow encoding with low parallel complexity, have proven instrumental in various strong applications such as multiparty computation and parallel cryptography. This work focuses on another natural complexity measure: the time required to encode. We construct succinct randomized encodings where a computation given by a (Turing or randomaccess) machine M, and input x, requiring time t and space s, can be encoded roughly in time poly(x, log t, s), thus inducing significant savings in time when s t. The scheme guarantees computational inputprivacy and is based on indistinguishability obfuscation for a relatively simple circuit class, which can in turn be based on a polynomial version of the subgroup elimination assumption on multilinear graded encodings. We then invoke succinct randomized encodings to obtain several strong applications, including: • Indistinguishability obfuscation for uniform (Turing or randomaccess) machines, where the obfuscated machine iO(M) computes the same function as M for inputs x of apriorifixed maximal size n, and is computed in time poly(n, log t, s).