Results 1  10
of
42
SNARKs for C: Verifying program executions succinctly and in zero knowledge
 In Proceedings of CRYPTO 2013, LNCS
"... An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, ..."
Abstract

Cited by 28 (1 self)
 Add to MetaCart
An argument system for NP is a proof system that allows efficient verification of NP statements, given proofs produced by an untrusted yet computationallybounded prover. Such a system is noninteractive and publiclyverifiable if, after a trusted party publishes a proving key and a verification key, anyone can use the proving key to generate noninteractive proofs for adaptivelychosen NP statements, and proofs can be verified by anyone by using the verification key. We present an implementation of a publiclyverifiable noninteractive argument system for NP. The system, moreover, is a zeroknowledge proofofknowledge. It directly proves correct executions of programs on TinyRAM, a randomaccess machine tailored for efficient verification of nondeterministic computations. Given a program P and time bound T, the system allows for proving correct execution of P, on any input x, for up to T steps, after a onetime setup requiring Õ(P  · T) cryptographic operations. An honest prover requires Õ(P  · T) cryptographic operations to generate such a proof, while proof verification can be performed with only O(x) cryptographic operations. This system can be used to prove the correct execution of C programs, using our TinyRAM port of the GCC compiler. This yields a zeroknowledge Succinct Noninteractive ARgument of Knowledge (zkSNARK) for
On the Achievability of SimulationBased Security for Functional Encryption
"... Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general ci ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
(Show Context)
Abstract. This work attempts to clarify to what extent simulationbased security (SIMsecurity) is achievable for functional encryption (FE) and its relation to the weaker indistinguishabilitybased security (INDsecurity). Our main result is a compiler that transforms any FE scheme for the general circuit functionality (which we denote by CircuitFE) meeting indistinguishabilitybased security (INDsecurity) to a CircuitFE scheme meeting SIMsecurity, where: – In the random oracle model, the resulting scheme is secure for an unbounded number of encryption and key queries, which is the strongest security level one can ask for. – In the standard model, the resulting scheme is secure for a bounded number of encryption and nonadaptive key queries, but an unbounded number of adaptive key queries. This matches known impossibility results and improves upon Gorbunov et al. [CRYPTO’12] (which is only secure for nonadaptive key queries).
Fully KeyHomomorphic Encryption, Arithmetic Circuit ABE, and Compact Garbled Circuits
, 2014
"... We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further redu ..."
Abstract

Cited by 19 (2 self)
 Add to MetaCart
We construct the first (keypolicy) attributebased encryption (ABE) system with short secret keys: the size of keys in our system depends only on the depth of the policy circuit, not its size. Our constructions extend naturally to arithmetic circuits with arbitrary fanin gates thereby further reducing the circuit depth. Building on this ABE system we obtain the first reusable circuit garbling scheme that produces garbled circuits whose size is the same as the original circuit plus an additive poly(λ, d) bits, where λ is the security parameter and d is the circuit depth. Save the additive poly(λ, d) factor, this is the best one could hope for. All previous constructions incurred a multiplicative poly(λ) blowup. As another application, we obtain (single key secure) functional encryption with short secret keys. We construct our attributebased system using a mechanism we call fully keyhomomorphic encryption which is a publickey system that lets anyone translate a ciphertext encrypted under a publickey x into a ciphertext encrypted under the publickey (f(x), f) of the same plaintext, for any efficiently computable f. We show that this mechanism gives an ABE with short keys. Security is based on the subexponential hardness of the learning with errors problem. We also present a second (keypolicy) ABE, using multilinear maps, with short ciphertexts: an encryption to an attribute vector x is the size of x plus poly(λ, d) additional bits. This gives a reusable circuit garbling scheme where the size of the garbled input is short, namely the same as that of the original input, plus a poly(λ, d) factor.
Functionprivate identitybased encryption: Hiding the function in functional encryption
 Advances in Cryptology – CRYPTO ’13. Available as Cryptology ePrint Archive, Report 2013/283
, 2013
"... We put forward a new notion, function privacy, in identitybased encryption and, more generally, in functional encryption. Intuitively, our notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. This is motivated b ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
We put forward a new notion, function privacy, in identitybased encryption and, more generally, in functional encryption. Intuitively, our notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. This is motivated by the need for providing predicate privacy in publickey searchable encryption. Formalizing such a notion, however, is not straightforward as given a decryption key it is always possible to learn some information on its corresponding identity by testing whether it correctly decrypts ciphertexts that are encrypted for specific identities. In light of such an inherent difficulty, any meaningful notion of function privacy must be based on the minimal assumption that, from the adversary’s point of view, identities that correspond to its given decryption keys are sampled from somewhat unpredictable distributions. We show that this assumption is in fact sufficient for obtaining a strong and realistic notion of function privacy. Loosely speaking, our framework requires that a decryption key corresponding to an identity sampled from any sufficiently unpredictable distribution is indistinguishable from a decryption key corresponding to an independently and uniformly sampled identity. Within our framework we develop an approach for designing functionprivate identitybased encryption schemes, leading to constructions that are based on standard assumptions in bilinear groups (DBDH, DLIN) and lattices (LWE). In addition to function privacy, our schemes are also anonymous, and thus yield the first publickey searchable encryption schemes that are provably
Encoding Functions with Constant Online Rate or How to Compress Garbled Circuits Keys
, 2013
"... Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
Randomized encodings of functions can be used to replace a “complex ” function f(x) by a “simpler ” randomized mapping ˆ f(x; r) whose output distribution on an input x encodes the value of f(x) and hides any other information. One desirable feature of randomized encodings is low online complexity. That is, the goal is to obtain a randomized encoding ˆ f of f in which most of the output can be precomputed and published before seeing the input x. When the input x is available, it remains to publish only a short string ˆx, where the online complexity of computing ˆx is independent of (and is typically much smaller than) the complexity of computing f. Yao’s garbled circuit construction gives rise to such randomized encodings in which the online part ˆx consists of n encryption keys of length κ each, where n = x  and κ is a security parameter. Thus, the online rate ˆx/x  of this encoding is proportional to the security parameter κ. In this paper, we show that the online rate can be dramatically improved. Specifically, we show how to encode any polynomialtime computable function f: {0, 1} n → {0, 1} m(n) with online rate of 1+o(1) and with nearly linear online computation. More concretely, the online part ˆx consists of an nbit string and a single encryption key. These constructions can be based on
Succinct noninteractive zeroknowledge for a von Neumann architecture
, 2014
"... We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
We build a system that provides succinct noninteractive zeroknowledge proofs (zkSNARKs) for program executions on a von Neumann RISC architecture. The system has two components: a cryptographic proof system for verifying satisfiability of arithmetic circuits, and a circuit generator to translate program executions to such circuits. Our design of both components improves in functionality and efficiency over prior work, as follows. Our circuit generator is the first to be universal: it does not need to know the program, but only a bound on its running time. Moreover, the size of the output circuit depends additively (rather than multiplicatively) on program size, allowing verification of larger programs. The cryptographic proof system improves proving and verification times, by leveraging new algorithms and a pairing library tailored to the protocol. We evaluated our system for programs with up to 10,000 instructions, running for up to 32,000 machine steps, each of which can arbitrarily access randomaccess memory; and also demonstrated it executing programs that use justintime compilation. Our proofs are 230 bytes long at 80 bits of security, or 288 bytes long at 128 bits of security. Typical verification time is 5 milliseconds, regardless of the original program’s running time.
FunctionPrivate Functional Encryption in the PrivateKey Setting
"... Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to of ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Functional encryption supports restricted decryption keys that allow users to learn specic functions of the encrypted messages. Whereas the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the publickey setting, in the privatekey setting it has a tremendous potential. Specically, one can hope to construct schemes where encryptions of messages m1; : : :;mT together with decryption keys corresponding to functions f1; : : : ; fT, reveal essentially no information other than the values ffi(mj)gi;j2[T]. Despite its great potential, the known functionprivate privatekey schemes either support rather limited families of functions (such as inner products), or offer somewhat weak notions of function privacy. We present a generic transformation that yields a functionprivate functional encryption scheme, starting with any nonfunctionprivate scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme, and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain functionprivate schemes based either on obfuscation assumptions, on the Learning with Errors assumption, or even on general publickey encryption (offering various tradeoffs between security and efficiency). 1
Building web applications on top of encrypted data using Mylar
"... Web applications rely on servers to store and process confidential information. However, anyone who gains access to the server (e.g., an attacker, a curious administrator, or a government) can obtain all of the data stored there. This paper presents Mylar, a platform for building web applications, w ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Web applications rely on servers to store and process confidential information. However, anyone who gains access to the server (e.g., an attacker, a curious administrator, or a government) can obtain all of the data stored there. This paper presents Mylar, a platform for building web applications, which protects data confidentiality against attackers with full access to servers. Mylar stores sensitive data encrypted on the server, and decrypts that data only in users ’ browsers. Mylar addresses three challenges in making this approach work. First, Mylar allows the server to perform keyword search over encrypted documents, even if the documents are encrypted with different keys. Second, Mylar allows users to share keys and encrypted data securely in the presence of an active adversary. Finally, Mylar ensures that clientside application code is authentic, even if the server is malicious. Results with a prototype of Mylar built on top of the Meteor framework are promising: porting 6 applications required changing just 36 lines of code on average, and the performance overheads are modest, amounting to a 17 % throughput loss and a 50 ms latency increase for sending a message in a chat application. 1
FunctionPrivate SubspaceMembership Encryption and Its Applications
"... Boneh, Raghunathan, and Segev (CRYPTO ’13) have recently put forward the notion of function privacy and applied it to identitybased encryption, motivated by the need for providing predicate privacy in publickey searchable encryption. Intuitively, their notion asks that decryption keys reveal essen ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Boneh, Raghunathan, and Segev (CRYPTO ’13) have recently put forward the notion of function privacy and applied it to identitybased encryption, motivated by the need for providing predicate privacy in publickey searchable encryption. Intuitively, their notion asks that decryption keys reveal essentially no information on their corresponding identities, beyond the absolute minimum necessary. While Boneh et al. showed how to construct functionprivate identitybased encryption (which implies predicateprivate encrypted keyword search), searchable encryption typically requires a richer set of predicates. In this paper we significantly extend the function privacy framework. First, we introduce the new notion of subspacemembership encryption, a generalization of innerproduct encryption, and formalize a meaningful and realistic notion for capturing its function privacy. Then, we present a generic construction of a functionprivate subspacemembership encryption scheme based on any innerproduct encryption scheme. This is the first generic construction that yields a functionprivate encryption scheme based on a nonfunctionprivate one. Finally, we present various applications of functionprivate subspacemembership encryption.
On the Communication Complexity of Secure Function Evaluation with Long Output
"... We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encry ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
We study the communication complexity of secure function evaluation (SFE). Consider a setting where Alice has a short input xA, Bob has an input xB and we want Bob to learn some function y = f(xA, xB) with large output size. For example, Alice has a small secret decryption key, Bob has a large encrypted database and we want Bob to learn the decrypted data without learning anything else about Alice’s key. In a trivial insecure protocol, Alice can just send her short input xA to Bob. However, all known SFE protocols have communication complexity that scales with size of the output y, which can potentially be much larger. Is such “outputsize dependence ” inherent in SFE? Surprisingly, we show that outputsize dependence can be avoided in the honestbutcurious setting. In particular, using indistinguishability obfuscation (iO) and fully homomorphic encryption (FHE), we construct the first honestbutcurious SFE protocol whose communication complexity only scales with that of the best insecure protocol for evaluating the desired function, independent of the output size. Our construction relies on a novel way of using iO via a new tool that we call a “somewhere statistically binding (SSB) hash”, and which may be of independent interest. On the negative side, we show that outputsize dependence is inherent in the fully malicious setting, or even already in an honestbutdeterministic setting, where the corrupted party follows the protocol as specified but fixes its random tape to some deterministic value. Moreover, we show that even in an offline/online protocol, the communication of the online phase must have outputsize dependence. This negative result uses an incompressibility argument and it generalizes several recent lower bounds for functional encryption and (reusable) garbled circuits, which follow as simple corollaries of our general theorem. 1