Results 1  10
of
16
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.
FunctionPrivate SubspaceMembership Encryption and Its Applications
"... Boneh, Raghunathan, and Segev (CRYPTO ’13) have recently put forward the notion of function privacy and applied it to identitybased encryption, motivated by the need for providing predicate privacy in publickey searchable encryption. Intuitively, their notion asks that decryption keys reveal essen ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
(Show Context)
Boneh, Raghunathan, and Segev (CRYPTO ’13) have recently put forward the notion of function privacy and applied it to identitybased encryption, motivated by the need for providing predicate privacy in publickey searchable encryption. Intuitively, their notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. While Boneh et al. showed how to construct functionprivate identitybased encryption (which implies predicateprivate encrypted keyword search), searchable encryption typically requires a richer set of predicates. In this paper we significantly extend the function privacy framework. First, we introduce the new notion of subspacemembership encryption, a generalization of innerproduct encryption, and formalize a meaningful and realistic notion for capturing its function privacy. Then, we present a generic construction of a functionprivate subspacemembership encryption scheme based on any innerproduct encryption scheme. This is the first generic construction that yields a functionprivate encryption scheme based on a nonfunctionprivate one. Finally, we present various applications of functionprivate subspacemembership encryption.
The Trojan Method in Functional Encryption: From Selective to Adaptive Security, Generically
"... In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages th ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
In a functional encryption (FE) scheme, the owner of the secret key can generate restricted decryption keys that allow users to learn specific functions of the encrypted messages and nothing else. In many known constructions of FE schemes, such a notion of security is guaranteed only for messages that are fixed ahead of time (i.e., before the adversary even interacts with the system). This is called selective security, which is too restrictive for many realistic applications. Achieving adaptive security (also called full security), where security is guaranteed even for messages that are adaptively chosen at any point in time, seems significantly more challenging. The handful of known fullysecure schemes are based on specifically tailored techniques that rely on strong assumptions (such as obfuscation assumptions or multilinear maps assumptions). In this paper we show that any sufficiently expressive selectivelysecure FE scheme can be transformed into a fully secure one without introducing any additional assumptions. We present a direct blackbox transformation, making novel use of hybrid encryption, a classical technique that was originally introduced for improving the efficiency of encryption schemes, combined with a new technique we call the Trojan Method. This method allows to embed a secret execution thread in the functional keys of the underlying
Indistinguishability Obfuscation from Compact Functional Encryption
"... The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In th ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
The arrival of indistinguishability obfuscation (iO) has transformed the cryptographic landscape by enabling several security goals that were previously beyond our reach. Consequently, one of the pressing goals currently is to construct iO from wellstudied standard cryptographic assumptions. In this work, we make progress in this direction by presenting a reduction from iO to a natural form of publickey functional encryption (FE). Specifically, we construct iO for general functions from any singlekey FE scheme for NC1 that achieves selective, indistinguishability security against subexponential time adversaries. Further, the FE scheme should be compact, namely, the running time of the encryption algorithm must only be a polynomial in the security parameter and the input message length (and not in the function description size or its output length). We achieve this result by developing a novel arity amplification technique to transform FE for singleary functions into FE for multiary functions (aka multiinput FE). Instantiating our approach with known, noncompact FE schemes, we obtain the first constructions of multiinput FE for constantary functions based on standard assumptions. Finally, as a result of independent interest, we construct a compact FE scheme from randomized encodings for Turing machines and learning with errors assumption.
Trapdoor Privacy in Asymmetric Searchable Encryption Schemes
"... Abstract. We investigate the open problem, namely trapdoor privacy, in asymmetric searchable encryption (ASE) schemes. We first present two trapdoor privacy definitions (i.e. 2TRAPPRIV and polyTRAPPRIV) which provide different levels of security guarantee. Motivated by the generic transformation ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. We investigate the open problem, namely trapdoor privacy, in asymmetric searchable encryption (ASE) schemes. We first present two trapdoor privacy definitions (i.e. 2TRAPPRIV and polyTRAPPRIV) which provide different levels of security guarantee. Motivated by the generic transformation from IBE to ASE, we introduce two key anonymity properties (i.e. 2KEYANO and polyKEYANO) for IBE schemes, so that these properties directly lead to the resulting ASE’s 2TRAPPRIV and polyTRAPPRIV properties respectively at the end of a transformation. We then present a simplified BoyenWaters scheme and prove that it achieves IBEINDCPA, IBEANO (anonymity), and 2KEYANO security in the random oracle model. Finally, we extend the simplified BoyenWaters scheme to be based on pairings over compositeorder groups and prove that the extended scheme achieves polyKEYANO security without random oracles.
Functional Encryption for Randomized Functionalities in the PrivateKey Setting from Minimal Assumptions
"... We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
We present a construction of a privatekey functional encryption scheme for any family of randomized functionalities based on any such scheme for deterministic functionalities that is sufficiently expressive. Instantiating our construction with existing schemes for deterministic functionalities, we obtain schemes for any family of randomized functionalities based on a variety of assumptions (including the LWE assumption, simple assumptions on multilinear maps, and even the existence of any oneway function) offering various tradeoffs between security and efficiency. Previously, Goyal, Jain, Koppula and Sahai [Cryptology ePrint Archive, 2013] constructed a publickey functional encryption scheme for any family of randomized functionalities based on indistinguishability obfuscation. One of the key insights underlying our work is that, in the privatekey setting, a sufficiently expressive functional encryption scheme may be appropriately utilized for implementing proof techniques that were so far implemented based on obfuscation assumptions (such as the punctured programming technique of Sahai and Waters [STOC 2014]). We view this as a contribution of independent interest that may be found useful in other settings as well.
Functional encryption from (small) hardware tokens
 In ASIACRYPT
, 2013
"... Abstract. Functional encryption (FE) enables finegrained access control of encrypted data while promising simplified key management. In the past few years substantial progress has been made on functional encryption and a weaker variant called predicate encryption. Unfortunately, fundamental impos ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Functional encryption (FE) enables finegrained access control of encrypted data while promising simplified key management. In the past few years substantial progress has been made on functional encryption and a weaker variant called predicate encryption. Unfortunately, fundamental impossibility results have been demonstrated for constructing FE schemes for general functions satisfying a simulationbased definition of security. We show how to use hardware tokens to overcome these impossibility results. In our envisioned scenario, an authority gives a hardware token and some cryptographic information to each authorized user; the user combines these to decrypt received ciphertexts. Our schemes rely on stateless tokens that are identical for all users. (Requiring a different token for each user trivializes the problem, and would be a barrier to practical deployment.) The tokens can implement relatively “lightweight ” computation relative to the functions supported by the scheme. Our tokenbased approach can be extended to support hierarchal functional encryption, function privacy, and more. 1
Nothing is for Free: Security in Searching Shared and Encrypted Data
"... AbstractMost existing symmetric searchable encryption schemes aim at allowing a user to outsource her encrypted data to a cloud server and delegate the latter to search on her behalf. These schemes do not qualify as a secure and scalable solution for the multiparty setting, where users outsource t ..."
Abstract
 Add to MetaCart
(Show Context)
AbstractMost existing symmetric searchable encryption schemes aim at allowing a user to outsource her encrypted data to a cloud server and delegate the latter to search on her behalf. These schemes do not qualify as a secure and scalable solution for the multiparty setting, where users outsource their encrypted data to a cloud server and selectively authorize each other to search. Due to the possibility that the cloud server may collude with some malicious users, it is a challenge to have a secure and scalable multiparty searchable encryption (MPSE) scheme. This is shown by our analysis on the PopaZeldovich scheme, which says that an honest user may leak all her search patterns even if she shares only one of her documents with another malicious user. Based on our analysis, we present a new security model for MPSE by considering the worst case and averagecase scenarios, which capture different serveruser collusion possibilities. We then propose a MPSE scheme by employing the bilinear property of Type3 pairings and prove its security based on the bilinear DiffieHellman variant and symmetric external DiffieHellman assumptions in the random oracle model. Index TermsMultiparty searchable encryption (MPSE), data privacy, trapdoor privacy, pairing.
On the Disadvantages of Pairingbased Cryptography
"... Abstract. Pairingbased cryptography (PBC) has many elegant properties. It is claimed that PBC can offer a desired security level with smaller parameters as the general elliptic curve cryptography (ECC). In the note, we remark that this view is misleading. Suppose that an elliptic curve E is defined ..."
Abstract
 Add to MetaCart
Abstract. Pairingbased cryptography (PBC) has many elegant properties. It is claimed that PBC can offer a desired security level with smaller parameters as the general elliptic curve cryptography (ECC). In the note, we remark that this view is misleading. Suppose that an elliptic curve E is defined over the field Fq. Then ECC is working with elements which are defined over Fq. But PBC is working with the functions and elements defined over Fqk, where k is the embedding degree. The security of PBC depends directly on the intractable level of either elliptic curve discrete log problem (ECDLP) in the group E(Fq) or discrete log problem (DLP) in the group F∗ qk. That means PBC protocols have to work in a running environment with parameters of 1024 bits so as to offer 80 bits security level. The shortcoming makes PBC lose its competitive advantages significantly.