Results 1  10
of
69
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delega ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delegation is policybased: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve lowbandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRFquerying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the wellknown treebased GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constantfactor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange ..."
Abstract

Cited by 33 (7 self)
 Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secretkey size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a keyhomomorphic symmetric cipher which plays a crucial role in the proof of security.
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
, 2013
"... Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their sem ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
(Show Context)
Our main result gives a way to instantiate the random oracle with a concrete hash function in “full domain hash ” applications. The term full domain hash was first proposed by Bellare and Rogaway [BR93, BR96] and referred to a signature scheme from any trapdoor permutation that was part of their seminal work introducing the random oracle heuristic. Over time the term full domain hash has (informally) encompassed a broader range of notable cryptographic schemes including the BonehFranklin [BF01] IBE scheme and BonehLynnShacham (BLS) [BLS01] signatures. All of the above described schemes required a hash function that had to be modeled as a random oracle to prove security. Our work utilizes recent advances in indistinguishability obfuscation to construct specific hash functions for use in these schemes. We then prove security of the original cryptosystems when instantiated with our specific hash function. Of particular interest, our work evades the impossibility result of Dodis, Oliveira, and Pietrzak [DOP05], who showed that there can be no blackbox construction of hash functions that allow FullDomain Hash Signatures to be based on trapdoor permutations. This indicates that our techniques applying indistinguishability
Fully Secure Functional Encryption without Obfuscation
, 2014
"... Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security red ..."
Abstract

Cited by 29 (3 self)
 Add to MetaCart
Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but with an exponential loss in the security reduction. Additionally these schemes are proved in an unrealistic selective security model, where the adversary is forced to specify its target before seeing the public parameters. For these constructions, full security can be obtained but at the cost of an exponential loss in the security reduction. In this work, we overcome the above limitations and realize a fully secure functional encryption scheme without using indistinguishability obfuscation. Specifically the security of our scheme relies only on the polynomial hardness of simple assumptions on multilinear maps.
A punctured programming approach to adaptively secure functional encryption
, 2014
"... We propose a new construction for achieving adaptively secure functional encryption for polysized circuits from indistinguishability obfuscation. Our reduction has polynomial loss to the underlying primitives. We develop a “punctured programming” approach to constructing and proving systems where ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
We propose a new construction for achieving adaptively secure functional encryption for polysized circuits from indistinguishability obfuscation. Our reduction has polynomial loss to the underlying primitives. We develop a “punctured programming” approach to constructing and proving systems where outside of obfuscation we rely only on primitives constructable from pseudo random generators.
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
On the existence of extractable oneway functions
, 2014
"... A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. How ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
A function f is extractable if it is possible to algorithmically “extract,” from any adversarial program that outputs a value y in the image of f, a preimage of y. When combined with hardness properties such as onewayness or collisionresistance, extractability has proven to be a powerful tool. However, so far, extractability has not been explicitly shown. Instead, it has only been considered as a nonstandard knowledge assumption on certain functions. We make two headways in the study of the existence of extractable oneway functions (EOWFs). On the negative side, we show that if there exist indistinguishability obfuscators for a certain class of circuits then there do not exist EOWFs where extraction works for any adversarial program with auxiliaryinput of unbounded polynomial length. On the positive side, for adversarial programs with bounded auxiliaryinput (and unbounded polynomial running time), we give the first construction of EOWFs with an explicit extraction procedure, based on relatively standard assumptions (e.g., subexponential hardness of Learning with Errors). We then use these functions to construct the first 2message zeroknowledge arguments and 3message zeroknowledge arguments of knowledge, against the same class of adversarial verifiers, from essentially the
Multiinput functional encryption
"... We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information fro ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We introduce the problem of MultiInput Functional Encryption, where a secret key SKf can correspond to an nary function f that takes multiple ciphertexts as input. Multiinput functional encryption is a general tool for computing on encrypting data which allows for mining aggregate information from several different data sources (rather than just a single source as in single input functional encryption). We show wide applications of this primitive to running SQL queries over encrypted database, noninteractive differentially private data release, delegation of computation, etc. We formulate both indistinguishabilitybased and simulationbased definitions of security for this notion, and show close connections with indistinguishability and virtual blackbox definitions of obfuscation. Assuming indistinguishability obfuscation for circuits, we present constructions achieving indistinguishability security for a large class of settings. We show how to modify this construction to achieve simulationbased security as well, in those settings where simulation security is possible. Assuming differinginputs obfuscation [Barak et al., FOCS’01], we also provide a construction with similar security guarantees as above, but where the keys and ciphertexts are compact.
Limits of extractability assumptions with distributional auxiliary input
, 2013
"... Extractability, or “knowledge,” assumptions (such as the “knowledgeofexponent” assumption) have recently gained popularity in the cryptographic community—leading to the study of primitives such as extractable oneway functions, extractable hash functions, succinct noninteractive arguments of kno ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Extractability, or “knowledge,” assumptions (such as the “knowledgeofexponent” assumption) have recently gained popularity in the cryptographic community—leading to the study of primitives such as extractable oneway functions, extractable hash functions, succinct noninteractive arguments of knowledge (SNARKs), and extractable obfuscation, and spurring the development of a wide spectrum of new applications relying on these primitives. For most of these applications, it is required that the extractability assumption holds even in the presence of attackers receiving some auxiliary information that is sampled from some fixed efficiently computable distribution Z. We show that, assuming the existence of collisionresistant hash functions, there exists a pair of efficient distributions Z,Z ′ such that either • extractable oneway functions w.r.t. Z do not exist, or • extractability obfuscations for Turing machines w.r.t. Z ′ do not exist. A corollary of this result shows that assuming existence of fully homomorphic encryption with decryption in NC1, there exist efficient distributions Z,Z ′ such that either • extractability obfuscations for NC1 wr.t. Z do not exist, or • SNARKs for NP w.r.t. Z ′ do not exist. To achieve our results, we develop a “succinct punctured program ” technique, mirroring the powerful “punctured program ” technique of Sahai and Waters (ePrint’13), and present several other applications of this new technique.
PolyMany Hardcore Bits for Any OneWay Function
, 2014
"... We show how to extract an arbitrary polynomial number of simultaneously hardcore bits from any oneway function. In the case the oneway function is injective or has polynomiallybounded preimage size, we assume the existence of indistinguishability obfuscation (iO). In the general case, we assume ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
We show how to extract an arbitrary polynomial number of simultaneously hardcore bits from any oneway function. In the case the oneway function is injective or has polynomiallybounded preimage size, we assume the existence of indistinguishability obfuscation (iO). In the general case, we assume the existence of differinginput obfuscation (diO), but of a form weaker than full auxiliaryinput diO. Our construction for injective oneway functions extends to extract hardcore bits on multiple, correlated inputs, yielding new DPKE schemes.