Results 1  10
of
67
Constrained Pseudorandom Functions and Their Applications
"... We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master ke ..."
Abstract

Cited by 69 (11 self)
 Add to MetaCart
(Show Context)
We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master key k. A constrained key ks enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that constrained PRFs can be used to construct powerful primitives such as identitybased key exchange and an optimal private broadcast encryption system. We then construct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delega ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delegation is policybased: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve lowbandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRFquerying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the wellknown treebased GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constantfactor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secretkey size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a keyhomomorphic symmetric cipher which plays a crucial role in the proof of security.
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
, 2013
"... Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their sem ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their seminal work introducing the random oracle heuristic. Over time the term full domain hash has (informally) encompassed a broader range of notable cryptographic schemes including the BonehFranklin [BF01] IBE scheme and BonehLynnShacham (BLS) [BLS01] signatures. All of the above described schemes required a hash function that had to be modeled as a random oracle to prove security. Our work utilizes recent advances in indistinguishability obfuscation to construct specific hash functions for use in these schemes. We then prove security of the original cryptosystems when instantiated with our specific hash function. Of particular interest, our work evades the impossibility result of Dodis, Oliveira, and Pietrzak [DOP05], who showed that there can be no blackbox construction of hash functions that allow FullDomain Hash Signatures to be based on trapdoor permutations. This indicates that our techniques applying indistinguishability
Fully Secure Functional Encryption without Obfuscation
"... Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security red ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security reduction. Additionally these schemes are proved in an unrealistic selective security model, where the adversary is forced to specify its target before seeing the public parameters. For these constructions, full security can be obtained but at the cost of an exponential loss in the security reduction. In this work, we overcome the above limitations and realize a fully secure functional encryption scheme without using indistinguishability obfuscation. Specifically the security of our scheme relies only on the polynomial hardness of simple assumptions on multilinear maps. 1
A punctured programming approach to adaptively secure functional encryption. Cryptology ePrint Archive, Report 2014/588
, 2014
"... We propose a new construction for achieving adaptively secure functional encryption for polysized circuits from indistinguishability obfuscation. Our reduction has polynomial loss to the underlying primitives. We develop a “punctured programming ” approach to constructing and proving systems where ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
We propose a new construction for achieving adaptively secure functional encryption for polysized circuits from indistinguishability obfuscation. Our reduction has polynomial loss to the underlying primitives. We develop a “punctured programming ” approach to constructing and proving systems where outside of obfuscation we rely only on primitives constructable from pseudo random generators.
Limits of extractability assumptions with distributional auxiliary input
, 2013
"... Extractability, or “knowledge,” assumptions (such as the “knowledgeofexponent” assumption) have recently gained popularity in the cryptographic community—leading to the study of primitives such as extractable oneway functions, extractable hash functions, succinct noninteractive arguments of kno ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Extractability, or “knowledge,” assumptions (such as the “knowledgeofexponent” assumption) have recently gained popularity in the cryptographic community—leading to the study of primitives such as extractable oneway functions, extractable hash functions, succinct noninteractive arguments of knowledge (SNARKs), and extractable obfuscation, and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution Z. We show that, assuming the existence of collisionresistant hash functions, there exists a pair of efficient distributions Z,Z ′ such that either • extractable oneway functions w.r.t. Z do not exist, or • extractability obfuscations for Turing machines w.r.t. Z ′ do not exist. A corollary of this result shows that assuming existence of fully homomorphic encryption with decryption in NC1, there exist efficient distributions Z,Z ′ such that either • extractability obfuscations for NC1 wr.t. Z do not exist, or • SNARKs for NP w.r.t. Z ′ do not exist. To achieve our results, we develop a “succinct punctured program ” technique, mirroring the powerful “punctured program ” technique of Sahai and Waters (ePrint’13), and present several other applications of this new technique.
Indistinguishability Obfuscation vs. AuxiliaryInput Extractable Functions: One Must Fall
, 2013
"... We show that if there exist indistinguishability obfuscators for all circuits then there do not exist auxiliaryinput extractable oneway functions. In particular, the knowledge of exponent assumption with respect to adversaries with auxiliary input is false in any group where computing discrete log ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
We show that if there exist indistinguishability obfuscators for all circuits then there do not exist auxiliaryinput extractable oneway functions. In particular, the knowledge of exponent assumption with respect to adversaries with auxiliary input is false in any group where computing discrete logarithms is intractable. The proof uses the “punctured programs” technique of [SahaiWaters 2013].
Multiinput functional encryption
"... We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information fro ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information from several different data sources (rather than just a single source as in single input functional encryption). We show wide applications of this primitive to running SQL queries over encrypted database, noninteractive differentially private data release, delegation of computation, etc. We formulate both indistinguishabilitybased and simulationbased definitions of security for this notion, and show close connections with indistinguishability and virtual blackbox definitions of obfuscation. Assuming indistinguishability obfuscation for circuits, we present constructions achieving indistinguishability security for a large class of settings. We show how to modify this construction to achieve simulationbased security as well, in those settings where simulation security is possible. Assuming differinginputs obfuscation [Barak et al., FOCS’01], we also provide a construction with similar security guarantees as above, but where the keys and ciphertexts are compact.
On the existence of extractable oneway functions
, 2014
"... A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. How ..."
Abstract

Cited by 12 (3 self)
 Add to MetaCart
A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a nonstandard knowledge assumption on certain functions. We make two headways in the study of the existence of extractable oneway functions (EOWFs). On the negative side, we show that if there exist indistinguishability obfuscators for a certain class of circuits then there do not exist EOWFs where extraction works for any adversarial program with auxiliaryinput of unbounded polynomial length. On the positive side, for adversarial programs with bounded auxiliaryinput (and unbounded polynomial running time), we give the first construction of EOWFs with an explicit extraction procedure, based on relatively standard assumptions (e.g., subexponential hardness of Learning with Errors). We then use these functions to construct the first 2message zeroknowledge arguments and 3message zeroknowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the