#### DMCA

## Reusable garbled circuits and succinct functional encryption (2013)

### Cached

### Download Links

Citations: | 42 - 3 self |

### Citations

819 |
Protocols for secure computations,
- Yao
- 1982
(Show Context)
Citation Context ...rcuit garbling scheme, which has been one of the most useful primitives in modern cryptography, is a construction originally suggested by Yao in the 80s in the context of secure two-party computation =-=[57]-=-. This construction relies on the existence of a one-way function to encode an arbitrary circuit C (“garbling” the circuit) and then encode any input x to the circuit (where the size of the encoding i... |

663 | Fully homomorphic encryption using ideal lattices
- Gentry
(Show Context)
Citation Context ...f fully homomorphic encryption was first proposed by Rivest, Adleman and Dertouzos [RAD78] in 1978. The first fully homomorphic encryption scheme was proposed in a breakthrough work by Gentry in 2009 =-=[Gen09]-=-. A history and recent developments on fully homomorphic encryption is surveyed in [Vai11]. We recall the definitions and semantic security of fully homomorphic encryption; the definitions below are b... |

560 |
How to play any mental game.
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ... circuit C or the input x other than the result C(x). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols [58], multi-party secure protocols =-=[24]-=-, one-time programs [27], KDM-security [5], verifiable computation [19], homomorphic computations [23] and others. However, a basic limitation of the original construction remains: it offers only one-... |

522 | Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data,”
- Goyal, Pandey, et al.
- 2006
(Show Context)
Citation Context ... the owner is better off doing the computation herself. We remark that functional encryption (FE) arises from, and generalizes, a beautiful sequence of papers on attribute-based encryption (including =-=[7, 32, 33, 35, 36, 48, 54, 55]-=-), and more generally predicate encryption (including [10, 34, 40]). We denote by attribute-based encryption (ABE) an encryption scheme where each ciphertext c of an underlying plaintext message m is ... |

437 | Ciphertext-Policy Attribute-Based Encryption,”
- Bethencourt, Sahai, et al.
- 2007
(Show Context)
Citation Context ... the owner is better off doing the computation herself. We remark that functional encryption (FE) arises from, and generalizes, a beautiful sequence of papers on attribute-based encryption (including =-=[7, 32, 33, 35, 36, 48, 54, 55]-=-), and more generally predicate encryption (including [10, 34, 40]). We denote by attribute-based encryption (ABE) an encryption scheme where each ciphertext c of an underlying plaintext message m is ... |

377 | Fuzzy Identity-Based Encryption,”
- Sahai, Waters
- 2005
(Show Context)
Citation Context ... the owner is better off doing the computation herself. We remark that functional encryption (FE) arises from, and generalizes, a beautiful sequence of papers on attribute-based encryption (including =-=[7, 32, 33, 35, 36, 48, 54, 55]-=-), and more generally predicate encryption (including [10, 34, 40]). We denote by attribute-based encryption (ABE) an encryption scheme where each ciphertext c of an underlying plaintext message m is ... |

363 | On lattices, learning with errors, random linear codes, and cryptography.
- REGEV
- 2009
(Show Context)
Citation Context ... the reader to our full paper [25] for their formal counterparts. The LWE assumption. The security of our results will be based on the Learning with Errors (LWE) assumption, first introduced by Regev =-=[46]-=-. Regev showed that solving the LWE problem on average is (quantumly) as hard as solving the approximate version of several standard lattice problems, such as gapSVP in the worst case. Peikert [44] la... |

348 | On the (im)possibility of obfuscating programs," in
- Barak, Goldreich, et al.
- 2001
(Show Context)
Citation Context ...e program reveals. Whereas ad-hoc program obfuscators are built routinely, and are used in practice as the main software-based technique to fight reverse engineering of programs, in 2000 Barak et al. =-=[4]-=-, followed by Goldwasser and Kalai [26], proved that program obfuscation for general functions is impossible using software alone, with respect to several strong but natural definitions of obfuscation... |

221 | NonInteractive Verifiable Computing: Outsourcing Computation to Untrusted Workers".
- Gennaro, Gentry, et al.
- 2010
(Show Context)
Citation Context ...arbled circuits and variants thereof have found many applications: two party secure protocols [58], multi-party secure protocols [24], one-time programs [27], KDM-security [5], verifiable computation =-=[19]-=-, homomorphic computations [23] and others. However, a basic limitation of the original construction remains: it offers only one-time usage. Specifically, providing an encoding of more than one input ... |

210 | A Sieve Algorithm for the Shortest Lattice Vector Problem
- Ajtai, Kumar, et al.
- 2001
(Show Context)
Citation Context ...or details about the worst-case/average-case connection. The best known algorithms to solve these lattice problems with 5 an approximation factor 2ℓ ϵ in ℓ-dimensional lattices run in time 2Õ(ℓ 1−ϵ) =-=[3, 39]-=- for any constant 0 < ϵ < 1. Specifically, given the current state-of-the-art on lattice algorithms, it is quite plausible that achieving approximation factors 2ℓ ϵ for these lattice problems is hard ... |

196 | On data banks and privacy homomorphisms.
- Rivest, Adleman, et al.
- 1978
(Show Context)
Citation Context ... Appendix A provides more detailed background information on LWE. 2.3 Fully Homomorphic Encryption (FHE) The notion of fully homomorphic encryption was first proposed by Rivest, Adleman and Dertouzos =-=[RAD78]-=- in 1978. The first fully homomorphic encryption scheme was proposed in a breakthrough work by Gentry in 2009 [Gen09]. A history and recent developments on fully homomorphic encryption is surveyed in ... |

183 | Conjunctive, subset, and range queries on encrypted data
- Boneh, Waters
(Show Context)
Citation Context ...cuit computing the function and is independent of the size of the circuit. Up until our work, the known constructions of functional encryption were quite limited. First, the works of Boneh and Waters =-=[10]-=-, Katz, Sahai and Waters [34], Agrawal, Freeman and Vaikuntanathan [1], and Shen, Shi and Waters [50] show functional encryption schemes (based on different assumptions) for a very simple function: th... |

173 | Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in
- Katz, Sahai, et al.
- 2008
(Show Context)
Citation Context ...nd is independent of the size of the circuit. Up until our work, the known constructions of functional encryption were quite limited. First, the works of Boneh and Waters [10], Katz, Sahai and Waters =-=[34]-=-, Agrawal, Freeman and Vaikuntanathan [1], and Shen, Shi and Waters [50] show functional encryption schemes (based on different assumptions) for a very simple function: the inner product function fy (... |

165 | Noise-tolerant learning, the parity problem, and the statistical query model. - Blum, Kalai, et al. - 2003 |

156 | Candidate multilinear maps from ideal lattices.
- GARG, GENTRY, et al.
- 2013
(Show Context)
Citation Context ...general circuits under the less standard k-Multilinear Decisional Diffie-Hellman (see [49] for more details); however, when instantiated with the only construction of multilinear maps currently known =-=[18]-=-, they also achieve ABE for general circuits of bounded depth. Our scheme can be instantiated with any of these schemes because our result is a reduction. When coupling our theorem with the ABE result... |

152 | Public-key cryptosystems from the worst-case shortest vector problem: extended abstract,”
- Peikert
- 2009
(Show Context)
Citation Context ...ev [46]. Regev showed that solving the LWE problem on average is (quantumly) as hard as solving the approximate version of several standard lattice problems, such as gapSVP in the worst case. Peikert =-=[44]-=- later removed the quantum assumption from a variant of this reduction. Given this connection, we state all our results under worst-case lattice assumptions, and in particular, under (a variant of) th... |

145 | Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption,” in
- Lewko, Okamoto, et al.
- 2010
(Show Context)
Citation Context |

141 | Fully Homomorphic Encryption over the Integers,” - Dijk, Gentry, et al. - 2010 |

134 | Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization”, Public key cryptography,
- Waters
- 2011
(Show Context)
Citation Context |

123 |
Relations Among Complexity Measures.
- Pippenger, Fischer
- 1979
(Show Context)
Citation Context ... running time – because otherwise the client would have to do a lot of work and could instead just run the Turing machine on its own. Moreover, for these machines, we cannot use the Pippenger-Fischer =-=[PF79]-=- transformation because the resulting circuits have depth roughly equal to the running time of the transformed machines. Specifically, our input-specific scheme makes sense for the following class of ... |

120 | Efficient fully homomorphic encryption from (standard) LWE,”
- Brakerski, Vaikuntanathan
- 2011
(Show Context)
Citation Context ...eral circuits of bounded depth. Our scheme can be instantiated with any of these schemes because our result is a reduction. When coupling our theorem with the ABE result of [30] and the FHE scheme of =-=[12, 13]-=-, we obtain: COROLLARY 1.2 (INFORMAL). Under the subexponential LWE assumption, for any depth d, there is a single-key functional encryption scheme for general functions computable by circuits of dept... |

109 | Functional Encryption: Definitions and Challenges
- Boneh, Sahai, et al.
- 2011
(Show Context)
Citation Context ...ribute-based encryption offers qualitatively weaker security than functional encryption. Attributebased encryption schemes were also called public-index predicate encryption schemes in the literature =-=[9]-=-. Boneh and Waters [10] introduced the idea of not leaking the attribute as in functional encryption (also called private-index functional encryption). Very recently, the landscape of attribute-based ... |

105 | Cryptographic primitives based on hard learning problems - Blum, Furst, et al. - 1993 |

94 | B.: A proof of security of Yao’s protocol for two-party computation.
- Lindell, Pinkas
- 2009
(Show Context)
Citation Context ...on f is size(Cf ) · poly(n, κ, d1/ϵ) and its depth is depth(Cf ) · poly(logn, log d). Garbled circuits. Garbled circuits were initially presented by Yao [57], then proven secure by Lindell and Pinkas =-=[37]-=-, and recently formalized by Bellare et al. [6]. A garbling scheme for a family of circuits C = {Cn}n∈N, where Cn is a set of boolean circuits taking n-bit inputs, is a tuple of p.p.t. algorithms Gb =... |

87 |
How to generate and exchange secrets (extended abstract). In:
- Yao
- 1986
(Show Context)
Citation Context ... adversary learns nothing about the circuit C or the input x other than the result C(x). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols =-=[58]-=-, multi-party secure protocols [24], one-time programs [27], KDM-security [5], verifiable computation [19], homomorphic computations [23] and others. However, a basic limitation of the original constr... |

79 | Fully Secure Functional Encryption with General Relations from the Decisional Linear Assumption”, - Okamoto, Takashima - 2010 |

74 | On obfuscating point functions,”
- Wee
- 2005
(Show Context)
Citation Context ...mpts to circumvent the impossibility results in various ways, including adding secure hardware components [8, 27, 31], relaxing the definition of security [28], or considering only specific functions =-=[15, 56]-=-. The problem of obfuscation seems intimately related to the “garbled circuit” problem where given a garbling of a circuit C and an encoding for an input x, one can learn the result of C(x) but nothin... |

73 | (Leveled) fully homomorphic encryption without bootstrapping,”
- Brakerski, Gentry, et al.
- 2012
(Show Context)
Citation Context ...eral circuits of bounded depth. Our scheme can be instantiated with any of these schemes because our result is a reduction. When coupling our theorem with the ABE result of [30] and the FHE scheme of =-=[12, 13]-=-, we obtain: COROLLARY 1.2 (INFORMAL). Under the subexponential LWE assumption, for any depth d, there is a single-key functional encryption scheme for general functions computable by circuits of dept... |

71 | Fully homomorphic encryption from ring-LWE and security for key dependent messages,” - Brakerski, Vaikuntanathan - 2011 |

70 | Fully homomorphic encryption without modulus switching from classical GapSVP. - Brakerski - 2012 |

66 | Predicate privacy in encryption systems,” in
- Shen, Shi, et al.
- 2009
(Show Context)
Citation Context ...wn constructions of functional encryption were quite limited. First, the works of Boneh and Waters [10], Katz, Sahai and Waters [34], Agrawal, Freeman and Vaikuntanathan [1], and Shen, Shi and Waters =-=[50]-=- show functional encryption schemes (based on different assumptions) for a very simple function: the inner product function fy (or a variant of it), that on input x outputs 1 if and only if ⟨x, y⟩ = 0... |

64 | Fully homomorphic encryption with polylog overhead. - Gentry, Halevi, et al. - 2012 |

62 | A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations.
- Micciancio, Voulgaris
- 2010
(Show Context)
Citation Context ...or details about the worst-case/average-case connection. The best known algorithms to solve these lattice problems with 5 an approximation factor 2ℓ ϵ in ℓ-dimensional lattices run in time 2Õ(ℓ 1−ϵ) =-=[3, 39]-=- for any constant 0 < ϵ < 1. Specifically, given the current state-of-the-art on lattice algorithms, it is quite plausible that achieving approximation factors 2ℓ ϵ for these lattice problems is hard ... |

56 | More on average case vs approximation complexity. - Alekhnovich - 2003 |

55 | How to delegate and verify in public: Verifiable computation from attribute-based encryption
- Parno, Raykova, et al.
- 2012
(Show Context)
Citation Context ...ounded Turing machines. The parameters of this LWE assumption are the same as discussed in Corollary 1.2. 1.1.4 Publicly-Verifiable Delegation with Secrecy Recently, Parno, Raykova and Vaikuntanathan =-=[43]-=- showed how to construct a 2-message delegation scheme that is publicly verifiable, in the preprocessing model, from any attribute-based encryption scheme. This reduction can be combined with [30]’s A... |

54 | One-time pro grams.
- Goldwasser, Kalai, et al.
- 2008
(Show Context)
Citation Context ...x other than the result C(x). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols [58], multi-party secure protocols [24], one-time programs =-=[27]-=-, KDM-security [5], verifiable computation [19], homomorphic computations [23] and others. However, a basic limitation of the original construction remains: it offers only one-time usage. Specifically... |

48 | New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques,” available at: https://eprint.iacr.org/2012/326.pdf, last visited
- Lewko, Waters
- 2012
(Show Context)
Citation Context |

47 | On best-possible obfuscation,
- Goldwasser, Rothblum
- 2014
(Show Context)
Citation Context ... programs remains. A long array of works attempts to circumvent the impossibility results in various ways, including adding secure hardware components [8, 27, 31], relaxing the definition of security =-=[28]-=-, or considering only specific functions [15, 56]. The problem of obfuscation seems intimately related to the “garbled circuit” problem where given a garbling of a circuit C and an encoding for an inp... |

47 |
Avi Wigderson. How to play any mental game
- Goldreich, Micali
- 1987
(Show Context)
Citation Context ...rcuit C or the input x other than the result C(x). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols [Yao86], multi-party secure protocols =-=[GMW87]-=-, one-time programs [GKR08], KDMsecurity [BHHI10], verifiable computation [GGP10], homomorphic computations [GHV10] and others. However, a basic limitation of the original construction remains: it off... |

46 | On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In: - Lopez-Alt, Tromer, et al. - 2012 |

45 | Bounded ciphertext policy attribute based encryption”,
- Goyal, Jain, et al.
- 2008
(Show Context)
Citation Context |

44 |
Hierarchical Predicate Encryption for Inner Products,”
- Okamoto, Takashima
- 2009
(Show Context)
Citation Context ...ryption (FE) arises from, and generalizes, a beautiful sequence of papers on attribute-based encryption (including [7, 32, 33, 35, 36, 48, 54, 55]), and more generally predicate encryption (including =-=[10, 34, 40]-=-). We denote by attribute-based encryption (ABE) an encryption scheme where each ciphertext c of an underlying plaintext message m is tagged with a public attribute x. Each secret key skf is associate... |

43 | Faster fully homomorphic encryption,” - Stehle, Steinfeld - 2010 |

42 | Attribute-based encryption for circuits.
- Gorbunov, Vaikuntanathan, et al.
- 2013
(Show Context)
Citation Context ...mely, parameter q (the maximum number of keys allowed) is fixed during setup, and the ciphertexts size grows linearly with q. significantly improved with the works of Gorbunov, Vaikuntanathan and Wee =-=[30]-=-, and Sahai and Waters [49], who construct attributebased encryption schemes for general functions, and are a building block for our results. 1.1 Our Results Our main result is the construction of a s... |

40 |
Yael Tauman Kalai. On the impossibility of obfuscation with auxiliary input
- Goldwasser
- 2005
(Show Context)
Citation Context ...bfuscators are built routinely, and are used in practice as the main software-based technique to fight reverse engineering of programs, in 2000 Barak et al. [BGI+01], followed by Goldwasser and Kalai =-=[GK05]-=-, proved that program obfuscation for general functions is impossible using software alone, with respect to several strong but natural definitions of obfuscation. The results of [BGI+01, GK05] mean th... |

39 | Functional encryption for inner product Predicates from learning with errors. Cryptology
- Agrawal, Freeman, et al.
- 2011
(Show Context)
Citation Context ...it. Up until our work, the known constructions of functional encryption were quite limited. First, the works of Boneh and Waters [10], Katz, Sahai and Waters [34], Agrawal, Freeman and Vaikuntanathan =-=[1]-=-, and Shen, Shi and Waters [50] show functional encryption schemes (based on different assumptions) for a very simple function: the inner product function fy (or a variant of it), that on input x outp... |

39 | Functional encryption with bounded collusions via multi-party computation.
- Gorbunov, Vaikuntanathan, et al.
- 2012
(Show Context)
Citation Context ...it), that on input x outputs 1 if and only if ⟨x, y⟩ = 0.2 These works do not shed light on how to extend beyond inner products. Second, Sahai and Seyalioglu [47] and Gorbunov, Vaikuntanathan and Wee =-=[29]-=- provide a construction for single-key functional encryption for one general function with a non-succinct ciphertext size (at least the size of a universal circuit computing the functions allowed by t... |

38 | A Simple BGN-Type Cryptosystem from LWE
- Gentry, Halevi, et al.
- 2010
(Show Context)
Citation Context ...ereof have found many applications: two party secure protocols [58], multi-party secure protocols [24], one-time programs [27], KDM-security [5], verifiable computation [19], homomorphic computations =-=[23]-=- and others. However, a basic limitation of the original construction remains: it offers only one-time usage. Specifically, providing an encoding of more than one input compromises the secrecy of the ... |

37 | Shai Halevi, and Vinod Vaikuntanathan. Fully homomorphic encryption over the integers. - Dijk, Gentry - 2010 |

33 | On the impossibility of obfuscation with auxiliary input,”
- Goldwasser, Kalai
- 2005
(Show Context)
Citation Context ...t generating encodings privately is in fact necessary; if the encodings were publicly generated, the power of the adversary would be the same as in traditional obfuscation, which was shown impossible =-=[4, 26]-=- (see discussion in Sec. 1.1.2). One might wonder though, whether a reusable garbling scheme exists where the encoding generation is secret key, but RGb.Garble is public key. We prove in our full pape... |

30 | Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556, - O’Neill - 2010 |

28 | Yuval Ishai, Amit Sahai, Ramarathnam Venkatesan, and Akshay Wadia. Founding cryptography on tamper-proof hardware tokens. - Goyal - 2010 |

24 | Computing Blindfolded: New Developments in Fully Homomorphic Encryption
- Vaikuntanathan
(Show Context)
Citation Context ... in 1978. The first fully homomorphic encryption scheme was proposed in a breakthrough work by Gentry in 2009 [Gen09]. A history and recent developments on fully homomorphic encryption is surveyed in =-=[Vai11]-=-. We recall the definitions and semantic security of fully homomorphic encryption; the definitions below are based on [Vai11] with some adaptations. Definition 2.1. A homomorphic (public-key) encrypti... |

23 | Bounded key-dependent message security.
- Barak, Haitner, et al.
- 2010
(Show Context)
Citation Context ...sult C(x). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols [58], multi-party secure protocols [24], one-time programs [27], KDM-security =-=[5]-=-, verifiable computation [19], homomorphic computations [23] and others. However, a basic limitation of the original construction remains: it offers only one-time usage. Specifically, providing an enc... |

21 | Functional encryption for regular languages
- Waters
- 2012
(Show Context)
Citation Context |

19 | Founding cryptography on tamper-proof hardware tokens
- Goyal, Ishai, et al.
- 2010
(Show Context)
Citation Context ...uscated. Still, the need to obfuscate or “garble” programs remains. A long array of works attempts to circumvent the impossibility results in various ways, including adding secure hardware components =-=[8, 27, 31]-=-, relaxing the definition of security [28], or considering only specific functions [15, 56]. The problem of obfuscation seems intimately related to the “garbled circuit” problem where given a garbling... |

18 | Eran Tromer, and Vinod Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In - Lopez-Alt - 2012 |

16 | Functional encryption: New perspectives and lower bounds.
- Agrawal, Gorbunov, et al.
- 2013
(Show Context)
Citation Context ...ox or to discard it as spam, without learning anything about Alice’s email (except for whether it was deemed spam or not). The recent impossibility result of Agrawal, Gorbunov, Vaikuntanathan and Wee =-=[2]-=- says that functional encryption schemes where an adversary can receive an arbitrary number of keys for general functions are impossible for a natural simulation-based security definition;1 stated dif... |

16 |
Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption: New perspectives and lower bounds. Cryptology ePrint Archive, Report 2012/468
- Agrawal
- 2012
(Show Context)
Citation Context ...ox or to discard it as spam, without learning anything about Alice’s email (except for whether it was deemed spam or not). The recent impossibility result of Agrawal, Gorbunov, Vaikuntanathan and Wee =-=[AGVW12]-=- says that functional encryption schemes where an adversary can receive an arbitrary number of keys for general functions are impossible for a natural simulation-based security definition;1 stated dif... |

15 | Panagiotis Voulgaris. A deterministic single exponential time algorithm for most lattice problems based on Voronoi cell computations - Micciancio - 2010 |

13 |
Worry-free encryption: functional encryption with public keys.
- Sahai, Seyalioglu
- 2010
(Show Context)
Citation Context ...nner product function fy (or a variant of it), that on input x outputs 1 if and only if ⟨x, y⟩ = 0.2 These works do not shed light on how to extend beyond inner products. Second, Sahai and Seyalioglu =-=[47]-=- and Gorbunov, Vaikuntanathan and Wee [29] provide a construction for single-key functional encryption for one general function with a non-succinct ciphertext size (at least the size of a universal ci... |

13 |
Iftach Haitner, Dennis Hofheinz, and Yuval Ishai. Bounded Key-Dependent Message Security
- Barak
- 2010
(Show Context)
Citation Context ...). Over the years, garbled circuits and variants thereof have found many applications: two party secure protocols [Yao86], multi-party secure protocols [GMW87], one-time programs [GKR08], KDMsecurity =-=[BHHI10]-=-, verifiable computation [GGP10], homomorphic computations [GHV10] and others. However, a basic limitation of the original construction remains: it offers only one-time usage. Specifically, providing ... |

12 | Omkant Pandey, and Amit Sahai. Bounded ciphertext policy attribute based encryption - Goyal, Jain - 2008 |

10 | On symmetric encryption and point obfuscation
- Canetti, Kalai, et al.
- 2010
(Show Context)
Citation Context ...mpts to circumvent the impossibility results in various ways, including adding secure hardware components [8, 27, 31], relaxing the definition of security [28], or considering only specific functions =-=[15, 56]-=-. The problem of obfuscation seems intimately related to the “garbled circuit” problem where given a garbling of a circuit C and an encoding for an input x, one can learn the result of C(x) but nothin... |

9 | Homomorphic evaluation of the aes circuit. Cryptology ePrint Archive, Report 2012/099 - Gentry, Halevi, et al. - 2012 |

8 | Fully homomorphic simd operations. Cryptology ePrint Archive, Report 2011/133 - Smart, Vercauteren - 2011 |

7 |
Data Breach Investigations Report,
- Team
- 2013
(Show Context)
Citation Context ...bfuscation. 1. INTRODUCTION Breaches of confidential data are commonplace: personal information of millions of people, such as financial, medical, customer, and employee data, is disclosed every year =-=[45, 53]-=-. These disclosures often happen because untrustworthy systems handle confidential data. As applications move to cloud computing platforms, ensuring Permission to make digital or hard copies of all or... |

7 | Shai Halevi, Yael Tauman - Bitansky, Canetti, et al. - 2011 |

6 |
Garbling schemes. Cryptology ePrint Archive, Report 2012/265
- Bellare, Hoang, et al.
- 2012
(Show Context)
Citation Context ...th is depth(Cf ) · poly(logn, log d). Garbled circuits. Garbled circuits were initially presented by Yao [57], then proven secure by Lindell and Pinkas [37], and recently formalized by Bellare et al. =-=[6]-=-. A garbling scheme for a family of circuits C = {Cn}n∈N, where Cn is a set of boolean circuits taking n-bit inputs, is a tuple of p.p.t. algorithms Gb = (Gb.Garble,Gb.Enc,Gb.Eval) such that Gb.Garble... |

5 | Program obfuscation with leaky hardware
- Canetti, Halevi, et al.
- 2011
(Show Context)
Citation Context ...uscated. Still, the need to obfuscate or “garble” programs remains. A long array of works attempts to circumvent the impossibility results in various ways, including adding secure hardware components =-=[8, 27, 31]-=-, relaxing the definition of security [28], or considering only specific functions [15, 56]. The problem of obfuscation seems intimately related to the “garbled circuit” problem where given a garbling... |

5 | Attribute-based encryption for circuits from multilinear maps. Cryptology ePrint Archive, Report 2012/592
- Sahai, Waters
- 2012
(Show Context)
Citation Context ...mum number of keys allowed) is fixed during setup, and the ciphertexts size grows linearly with q. significantly improved with the works of Gorbunov, Vaikuntanathan and Wee [30], and Sahai and Waters =-=[49]-=-, who construct attributebased encryption schemes for general functions, and are a building block for our results. 1.1 Our Results Our main result is the construction of a succinct single-key function... |

5 | Yael Tauman Kalai, Mayank Varia, and Daniel Wichs. On symmetric encryption and point obfuscation - Canetti - 2010 |

2 |
Cloud security: Verify, don’t trust
- Davis
- 2012
(Show Context)
Citation Context ... STOC’13, June 1–4, 2013, Palo Alto, California, USA. Copyright 2013 ACM 978-1-4503-2029-0/13/06 ...$15.00. data confidentiality on third-party servers that may be untrustworthy becomes a top concern =-=[16]-=-. A powerful technique for preventing data disclosures without having to ensure the server is trustworthy is to encrypt the data provided to the server and then compute on the encrypted data. Thus, if... |

2 | 2012 data breach investigations report. http://www.verizonbusiness. com/resources/reports/rp_data-breach-investigations-report-2012_en_ xg.pdf - Team |