Results 1  10
of
42
Candidate Multilinear Maps from Ideal Lattices and Applications
, 2012
"... Wedescribeplausiblelatticebasedconstructionswithpropertiesthatapproximatethesoughtafter multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seemingly hard ..."
Abstract

Cited by 151 (15 self)
 Add to MetaCart
Wedescribeplausiblelatticebasedconstructionswithpropertiesthatapproximatethesoughtafter multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seemingly hard problems in ideal lattices, which can be viewed as extensions of the assumed hardness of the NTRU function.
Attributebased encryption for circuits from multilinear maps. Cryptology ePrint Archive, Report 2013/128, 2013. http://eprint.iacr.org/. Oded Goldreich and
"... In this work, we provide the first construction of AttributeBased Encryption (ABE) for general circuits. Our construction is based on the existence of multilinear maps. We prove selective security of our scheme in the standard model under the natural multilinear generalization of the BDDH assumptio ..."
Abstract

Cited by 54 (8 self)
 Add to MetaCart
In this work, we provide the first construction of AttributeBased Encryption (ABE) for general circuits. Our construction is based on the existence of multilinear maps. We prove selective security of our scheme in the standard model under the natural multilinear generalization of the BDDH assumption. Our scheme achieves both KeyPolicy and CiphertextPolicy variants of ABE. Our scheme and its proof of security directly translate to the recent multilinear map framework of Garg, Gentry, and Halevi. This paper subsumes the manuscript of Sahai and Waters [SW12].
Reusable garbled circuits and succinct functional encryption
, 2013
"... Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs ..."
Abstract

Cited by 42 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits, introduced by Yao in the mid 80s, allow computing a function f on an input x without leaking anything about f or x besides f(x). Garbled circuits found numerous applications, but every known construction suffers from one limitation: it offers no security if used on multiple inputs x. In this paper, we construct for the first time reusable garbled circuits. The key building block is a new succinct singlekey functional encryption scheme. Functional encryption is an ambitious primitive: given an encryption Enc(x) of a value x, and a secret key skf for a function f, anyone can compute f(x) without learning any other information about x. We construct, for the first time, a succinct functional encryption scheme for any polynomialtime function f where succinctness means that the ciphertext size does not grow with the size of the circuit for f, but only with its depth. The security of our construction is based on the intractability of the Learning with Errors (LWE) problem and holds as long as an adversary has access to a single key skf (or even an a priori bounded number of keys for different functions). Building on our succinct singlekey functional encryption scheme, we show several new applications in addition to reusable garbled circuits, such as a paradigm for general function obfuscation which we call tokenbased obfuscation, homomorphic encryption for a class of Turing machines where the evaluation runs in inputspecific time rather than worstcase time, and a scheme for delegating computation which is publicly verifiable and maintains the privacy of the computation.
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for
On the Achievability of SimulationBased Security for Functional Encryption
"... Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general ci ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
(Show Context)
Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by CircuitFE) meeting indistinguishabilitybased security (INDsecurity) to a CircuitFE scheme meeting SIMsecurity, where: – In the random oracle model, the resulting scheme is secure for an unbounded number of encryption and key queries, which is the strongest security level one can ask for. – In the standard model, the resulting scheme is secure for a bounded number of encryption and nonadaptive key queries, but an unbounded number of adaptive key queries. This matches known impossibility results and improves upon Gorbunov et al. [CRYPTO’12] (which is only secure for nonadaptive key queries).
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
(Show Context)
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
How to Run Turing Machines on Encrypted Data
"... Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphi ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
Abstract. Algorithms for computing on encrypted data promise to be a fundamental building block of cryptography. The way one models such algorithms has a crucial effect on the efficiency and usefulness of the resulting cryptographic schemes. As of today, almost all known schemes for fully homomorphic encryption, functional encryption, and garbling schemes work by modeling algorithms as circuits rather than as Turing machines. As a consequence of this modeling, evaluating an algorithm over encrypted data is as slow as the worstcase running time of that algorithm, a dire fact for many tasks. In addition, in settings where an evaluator needs a description of the algorithm itself in some “encoded ” form, the cost of computing and communicating such encoding is as large as the worstcase running time of this algorithm. In this work, we construct cryptographic schemes for computing Turing machines on encrypted data that avoid the worstcase problem. Specifically, we show: – An attributebased encryption scheme for any polynomialtime Turing machine and Random Access Machine (RAM).
Dual system encryption via predicate encodings
 In TCC
, 2014
"... Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schem ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schemes for a large class of predicates. Our framework relies onWaters ’ dual system encryption methodology (Crypto ’09), and encompass the identitybased encryption scheme of Lewko and Waters (TCC ’10), and the attributebased encryption scheme of Lewko et al. (Eurocrypt ’10). In addition, we obtain several concrete improvements over prior works. Our work offers a novel interpretation of dual system encryption as a methodology for amplifying a onetime privatekey primitive (i.e. predicate encodings) into a manytime publickey primitive (i.e. predicate encryption).
(Leveled) Fully Homomorphic Signatures from Lattices
, 2014
"... In a homomorphic signature scheme, given a vector of signatures ⃗σ corresponding to a dataset of messages ⃗µ, there is a public algorithm that allows to derive a signature σ ′ for message µ ′ = f(⃗µ) for any function f. Given the tuple (σ ′ , µ ′ , f) anyone can publicly verify the result of the co ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
In a homomorphic signature scheme, given a vector of signatures ⃗σ corresponding to a dataset of messages ⃗µ, there is a public algorithm that allows to derive a signature σ ′ for message µ ′ = f(⃗µ) for any function f. Given the tuple (σ ′ , µ ′ , f) anyone can publicly verify the result of the computation of function f. Along with the standard notion of unforgeability for signatures, the security of homomorphic signatures guarantees that no adversary is able to make a forgery σ ∗ for µ ∗ ̸ = f(⃗µ). We construct the first homomorphic signature scheme for evaluating arbitrary functions. In our scheme, the public parameters and the size of the resulting signature grows polynomially with the depth of the circuit representation of f. Our scheme is secure in the standard model assuming hardness of finding Small Integer Solutions in hard lattices. Furthermore, our construction has asymptotically fast verification which immediately leads to a new solution for verifiable outsourcing with preprocessing phase. Previous state of the art constructions were limited to evaluating polynomials of constant degree, secure in random oracle model without asymptotically fast verification.
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically
"... In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages th ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fullysecure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions). In this paper we show that any sufficiently expressive selectivelysecure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct blackbox transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying