Results 1  10
of
19
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
New and improved keyhomomorphic pseudorandom functions. Cryptology ePrint Archive, Report 2014/074
, 2014
"... A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known const ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known construction of keyhomomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of keyhomomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length λ and 2λ security against known lattice algorithms, we improve the key size from λ3 to λ bits, the public parameters from λ6 to λ2 bits, and the runtime from λ7 to λω+1 bit operations (ignoring polylogarithmic factors in λ), where ω ∈ [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ringLWEbased constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasilinear Õ(λ), which is optimal up to polylogarithmic factors. To our knowledge, these are the first lowdepth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2λ security under any conventional assumption. 1
Improved dual system ABE in primeorder groups via predicate encodings
 In Eurocrypt
, 2015
"... Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicate ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicates and across both composite and primeorder groups. Via this framework, we obtain concrete efficiency improvements for several ABE schemes. Our framework has three novel components over prior works: (i) new techniques for simulating compositeorder groups in primeorder ones, (ii) a refinement of prior encodings framework for dual system ABE in compositeorder groups, (iii) an extension to weakly attributehiding predicate encryption (which includes anonymous identitybased encryption as a special case). 1
Fully secure and succinct attribute based encryption for circuits from multilinear maps. IACR Cryptology ePrint Archive
 In Proc. of CRYPTO, volume 3152 of LNCS
, 2004
"... We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in composite ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in compositeorder settings. The assumptions consist of the Subgroup Decision assumptions and two assumptions which are similar to Multilinear Decisional DiffieHellman assumption (but more complex) and are proved to hold in the generic graded encoding model. Both of our systems enjoy succinctness: key and ciphertext sizes are proportional to their corresponding circuit and input string sizes. Our ciphertextpolicy ABE for circuits is the first to achieve succinctness, and the first that can deal with unboundedsize circuits (even among selectively secure systems). We develop new techniques for proving coselective security of keypolicy ABE for circuits, which is the main ingredient for the dualsystem encryption framework that uses computational arguments for enforcing full security.
Partial Garbling Schemes and Their Applications
"... Abstract. Garbling schemes (aka randomized encodings of functions) represent a function F by a “simpler” randomized function F ̂ such that F ̂ (x) reveals F (x) and no additional information about x. Garbling schemes have found applications in many areas of cryptography. Motivated by the goal of imp ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Garbling schemes (aka randomized encodings of functions) represent a function F by a “simpler” randomized function F ̂ such that F ̂ (x) reveals F (x) and no additional information about x. Garbling schemes have found applications in many areas of cryptography. Motivated by the goal of improving the efficiency of garbling schemes, we make the following contributions: – We suggest a general new notion of partial garbling which unifies several previous notions from the literature, including standard garbling schemes, secret sharing schemes, and “conditional disclosure of secrets”. This notion considers garbling schemes in which part of the input is public, in the sense that it can be leaked by F ̂. – We present constructions of partial garbling schemes for (boolean and arithmetic) formulas and branching programs which take advantage of the public input to gain better efficiency. – We demonstrate the usefulness of the new notion by presenting applications to efficient attributebased encryption, delegation, and secure computation. In each of these applications, we obtain either new schemes for larger classes of functions or efficiency improvements fromquadratic to linear. In particular, we obtain the first ABE scheme in bilinear groups for arithmetic formulas, as well as more efficient delegation schemes for boolean and arithmetic branching programs. 1
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
"... We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is gen ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
We show a generic conversion that converts an attribute based encryption (ABE) scheme for arbitrary predicate into an ABE scheme for its dual predicate. In particular, it can convert keypolicy ABE (KPABE) into ciphertextpolicy ABE (CPABE), and vice versa, for dually related predicates. It is generic in the sense that it can be applied to arbitrary predicates. On the other hand, it works only within the generic ABE framework recently proposed by Attrapadung (Eurocrypt’14), which provides a generic compiler that compiles a simple primitive called pair encodings into fully secure ABE. Inside this framework, Attrapadung proposed the first generic dual conversion that works only for subclass of encodings, namely, perfectly secure encodings. However, there are many predicates for which realizations of such encodings are not known, and hence the problems of constructing fully secure ABE for their dual predicates were left unsolved. In this paper, we revisit the dual conversion of Attrapadung, and show that, somewhat surprisingly, the very same conversion indeed also works for broader classes of encodings, namely, computationally secure encodings. Consequently, we thus solve the above open
Multilinear Maps Using Ideal Lattices without Encodings of Zero
, 2015
"... Recently, Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, there exists zeroizing attack in the GGH construction. We first describe an improved construction of multilinear maps from ideal lattices, by multiplying matrices on both sides of t ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Recently, Garg, Gentry and Halevi (GGH) described the first candidate multilinear maps using ideal lattices. However, there exists zeroizing attack in the GGH construction. We first describe an improved construction of multilinear maps from ideal lattices, by multiplying matrices on both sides of the level1 encoding of nonzero element. The security of our construction depends upon new hardness assumption, which is seemingly closely related to hardness problems of lattices. Then, we describe an asymmetric construction to avoid any nontrivial encoding of zero. Using our constructions over polynomial ring instead of integer ring, we implement oneround multipartite DiffieHellman key exchange protocol to decrease the public parameter size.
Dual System Encryption Framework in PrimeOrder Groups
 IACR Cryptology ePrint Archive
, 2015
"... We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compos ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compositeorder bilinear groups, of which operations are known to be much less efficient than in primeorder ones for the same security level. These consist of the frameworks by Wee (TCC’14) and Attrapadung (Eurocrypt’14). Both provide abstractions of dualsystem encryption techniques introduced by Waters (Crypto’09). Our framework can be considered as a primeorder version of Attrapadung’s framework and works in a similar manner: it relies on a main component called pair encodings, and it generically compiles any secure pair encoding scheme for a predicate in consideration to a fully secure ABE scheme for that predicate. One feature of our new compiler is that although the resulting ABE schemes will be newly defined in primeorder groups, we require essentially the same security notions of pair encodings as before. Beside the security of pair encodings, our framework assumes only the Matrix DiffieHellman assumption (Escala et al., Crypto’13), which is a
Riding on Asymmetry: Efficient ABE for Branching Programs
, 2014
"... In an AttributeBased Encryption (ABE) a ciphertext, encrypting message µ, is associated with a public attribute vector x and a secret key skP is associated with a predicate P. The decryption returns µ if and only if P (x) = 1. ABE provides efficient and simple mechanism for data sharing supporting ..."
Abstract
 Add to MetaCart
In an AttributeBased Encryption (ABE) a ciphertext, encrypting message µ, is associated with a public attribute vector x and a secret key skP is associated with a predicate P. The decryption returns µ if and only if P (x) = 1. ABE provides efficient and simple mechanism for data sharing supporting finegrained access control. Moreover, it is used as a critical component in constructions of succinct functional encryption, reusable garbled circuits, tokenbased obfuscation and more. In this work, we describe a new efficient ABE scheme for a family of branching programs with short secret keys over a small ring. In particular, in our constriction the size of the secret key for a branching program P is P +poly(λ), where λ is the security parameter. Our construction is secure assuming nω(1)hardness of standard Learning With Errors (LWE) problem, resulting in small ring modulo. Previous constructions relied on nO(logn)hardness of LWE (resulting in large ring modulo) or had large secret keys of size P ×poly(λ). We rely on techniques developed by Boneh et al. (EUROCRYPT’14) and Brakerski et al. (ITCS’14) in the context of ABE for circuits and fullyhomomorphic encryption.
Short Signatures from Homomorphic Trapdoor Functions
, 2015
"... We present a latticebased stateless signature scheme provably secure in the standard model. Our scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in the signatures. The best previous latticebased encryption schemes were the scheme of Ducas and Micc ..."
Abstract
 Add to MetaCart
We present a latticebased stateless signature scheme provably secure in the standard model. Our scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in the signatures. The best previous latticebased encryption schemes were the scheme of Ducas and Micciancio (CRYPTO 2014), which required a logarithmic number of matrices in the public key and that of Bohl et. al (J. of Cryptology 2014), which required a logarithmic number of lattice vectors in the signature. Our main technique involves using fully homomorphic computation to compute a degree d polynomial over the tags hidden in the matrices in the public key. In the scheme of Ducas and Micciancio, only functions linear over the tags in the public key matrices were used, which necessitated having d matrices in the public key. As a matter of independent interest, we extend Wichs ’ (eprint 2014) recent construction of homomorphic trapdoor functions into a primitive we call puncturable homomorphic trapdoor functions (PHTDFs). This primitive abstracts out most of the properties required in many different latticebased cryptographic constructions. We then show how to combine a PHTDF along with a function satisfying certain properties (to be evaluated homomorphically) to give an euscma signature scheme.