Results 1  10
of
19
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
New and improved keyhomomorphic pseudorandom functions. Cryptology ePrint Archive, Report 2014/074
, 2014
"... A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known const ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known construction of keyhomomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of keyhomomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length λ and 2λ security against known lattice algorithms, we improve the key size from λ3 to λ bits, the public parameters from λ6 to λ2 bits, and the runtime from λ7 to λω+1 bit operations (ignoring polylogarithmic factors in λ), where ω ∈ [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ringLWEbased constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasilinear Õ(λ), which is optimal up to polylogarithmic factors. To our knowledge, these are the first lowdepth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2λ security under any conventional assumption. 1
Improved dual system ABE in primeorder groups via predicate encodings
 In Eurocrypt
, 2015
"... Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicate ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicates and across both composite and primeorder groups. Via this framework, we obtain concrete efficiency improvements for several ABE schemes. Our framework has three novel components over prior works: (i) new techniques for simulating compositeorder groups in primeorder ones, (ii) a refinement of prior encodings framework for dual system ABE in compositeorder groups, (iii) an extension to weakly attributehiding predicate encryption (which includes anonymous identitybased encryption as a special case). 1
Fully secure and succinct attribute based encryption for circuits from multilinear maps. IACR Cryptology ePrint Archive
 In Proc. of CRYPTO, volume 3152 of LNCS
, 2004
"... We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in composite ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in compositeorder settings. The assumptions consist of the Subgroup Decision assumptions and two assumptions which are similar to Multilinear Decisional DiffieHellman assumption (but more complex) and are proved to hold in the generic graded encoding model. Both of our systems enjoy succinctness: key and ciphertext sizes are proportional to their corresponding circuit and input string sizes. Our ciphertextpolicy ABE for circuits is the first to achieve succinctness, and the first that can deal with unboundedsize circuits (even among selectively secure systems). We develop new techniques for proving coselective security of keypolicy ABE for circuits, which is the main ingredient for the dualsystem encryption framework that uses computational arguments for enforcing full security.
Partial Garbling Schemes and Their Applications
"... Abstract. Garbling schemes (aka randomized encodings of functions) represent a function F by a “simpler” randomized function F ̂ such that F ̂ (x) reveals F (x) and no additional information about x. Garbling schemes have found applications in many areas of cryptography. Motivated by the goal of imp ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Garbling schemes (aka randomized encodings of functions) represent a function F by a “simpler” randomized function F ̂ such that F ̂ (x) reveals F (x) and no additional information about x. Garbling schemes have found applications in many areas of cryptography. Motivated by the goal of improving the efficiency of garbling schemes, we make the following contributions: – We suggest a general new notion of partial garbling which unifies several previous notions from the literature, including standard garbling schemes, secret sharing schemes, and “conditional disclosure of secrets”. This notion considers garbling schemes in which part of the input is public, in the sense that it can be leaked by F ̂. – We present constructions of partial garbling schemes for (boolean and arithmetic) formulas and branching programs which take advantage of the public input to gain better efficiency. – We demonstrate the usefulness of the new notion by presenting applications to efficient attributebased encryption, delegation, and secure computation. In each of these applications, we obtain either new schemes for larger classes of functions or efficiency improvements fromquadratic to linear. In particular, we obtain the first ABE scheme in bilinear groups for arithmetic formulas, as well as more efficient delegation schemes for boolean and arithmetic branching programs. 1
Multilinear Maps Using Ideal Lattices without Encodings of Zero
, 2015
"... Recently, Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, there exists zeroizing attack in the GGH construction. We first describe an improved construction of multilinear maps from ideal lattices, by multiplying matrices on both sides of t ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Recently, Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, there exists zeroizing attack in the GGH construction. We first describe an improved construction of multilinear maps from ideal lattices, by multiplying matrices on both sides of the level1 encoding of nonzero element. The security of our construction depends upon new hardness assumption, which is seemingly closely related to hardness problems of lattices. Then, we describe an asymmetric construction to avoid any nontrivial encoding of zero. Using our constructions over polynomial ring instead of integer ring, we implement oneround multipartite DiffieHellman key exchange protocol to decrease the public parameter size.
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
"... We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is gen ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is generic in the sense that it can be applied to arbitrary predicates. On the other hand, it works only within the generic ABE framework recently proposed by Attrapadung (Eurocrypt’14), which provides a generic compiler that compiles a simple primitive called pair encodings into fully secure ABE. Inside this framework, Attrapadung proposed the first generic dual conversion that works only for subclass of encodings, namely, perfectly secure encodings. However, there are many predicates for which realizations of such encodings are not known, and hence the problems of constructing fully secure ABE for their dual predicates were left unsolved. In this paper, we revisit the dual conversion of Attrapadung, and show that, somewhat surprisingly, the very same conversion indeed also works for broader classes of encodings, namely, computationally secure encodings. Consequently, we thus solve the above open
Dual System Encryption Framework in PrimeOrder Groups
 IACR Cryptology ePrint Archive
, 2015
"... We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compos ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compositeorder bilinear groups, of which operations are known to be much less efficient than in primeorder ones for the same security level. These consist of the frameworks by Wee (TCC’14) and Attrapadung (Eurocrypt’14). Both provide abstractions of dualsystem encryption techniques introduced by Waters (Crypto’09). Our framework can be considered as a primeorder version of Attrapadung’s framework and works in a similar manner: it relies on a main component called pair encodings, and it generically compiles any secure pair encoding scheme for a predicate in consideration to a fully secure ABE scheme for that predicate. One feature of our new compiler is that although the resulting ABE schemes will be newly defined in primeorder groups, we require essentially the same security notions of pair encodings as before. Beside the security of pair encodings, our framework assumes only the Matrix DiffieHellman assumption (Escala et al., Crypto’13), which is a
A Decade of Lattice Cryptography
, 2016
"... Latticebased cryptography is the use of conjectured hard problems on point lattices in Rn as the foundation for secure cryptographic constructions. Attractive features of lattice cryptography include: apparent resistance to quantum attacks (in contrast with most numbertheoretic cryptography), hig ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Latticebased cryptography is the use of conjectured hard problems on point lattices in Rn as the foundation for secure cryptographic constructions. Attractive features of lattice cryptography include: apparent resistance to quantum attacks (in contrast with most numbertheoretic cryptography), high asymptotic efficiency and parallelism, security under worstcase intractability assumptions, and solutions to longstanding open problems in cryptography. This work surveys most of the major developments in lattice cryptography over the past ten years. The main focus is on the foundational short integer solution (SIS) and learning with errors (LWE) problems (and their more efficient ringbased variants), their provable hardness assuming the worstcase intractability of
Fully Secure Functional Encryption for Inner Products, from Standard Assumptions
"... Abstract. Functional encryption is a modern publickey paradigm where a master secret key can be used to derive subkeys SKF associated with certain functions F in such a way that the decryption operation reveals F (M), if M is the encrypted message, and nothing else. Recently, Abdalla et al. gave s ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Functional encryption is a modern publickey paradigm where a master secret key can be used to derive subkeys SKF associated with certain functions F in such a way that the decryption operation reveals F (M), if M is the encrypted message, and nothing else. Recently, Abdalla et al. gave simple and efficient realizations of the primitive for the computation of linear functions on encrypted data: given an encryption of a vector y over some specified base ring, a secret key SKx for the vector x allows computing 〈x,y〉. Their technique surprisingly allows for instantiations under standard assumptions, like the hardness of the Decision DiffieHellman (DDH) and LearningwithErrors (LWE) problems. Their constructions, however, are only proved secure against selective adversaries, which have to declare the challenge messages M0 and M1 at the outset of the game. In this paper, we provide constructions that provably achieve security against more realistic adaptive attacks (where the messages M0 and M1