Results 1  10
of
55
Candidate Multilinear Maps from Ideal Lattices and Applications
, 2012
"... We describe plausible latticebased constructions wit hproperties that approximate the sought after multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seem ..."
Abstract

Cited by 156 (15 self)
 Add to MetaCart
We describe plausible latticebased constructions wit hproperties that approximate the sought after multilinear maps in harddiscretelogarithm groups, and show that some applications of such multilinear maps can be realized using our approximations. The security of our constructions relies on seemingly hard problems in ideal lattices, which can be viewed as extensions of the assumed hardness of the NTRU function.
Functional Signatures and Pseudorandom Functions
, 2013
"... In this paper, we introduce functional digital signatures and pseudorandom functions. In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. We show ap ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
In this paper, we introduce functional digital signatures and pseudorandom functions. In a functional signature scheme, in addition to a master signing key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. We show applications of functional signatures to construct succinct noninteractive arguments and delegation schemes. We give several general constructions for this primitive based on different computational hardness assumptions, and describe the tradeoffs between them in terms of the assumptions they require and the size of the signatures. In a functional pseudorandom function, in addition to a master secret key that can be used to evaluate the pseudorandom function F on any point in the domain, there are additional secret keys for a function f, which allow one to evaluate F on any y for which there exists an x such that f(x) = y. This implies the ability to delegate keys per function f for computing a pseudorandom function F on points y for which f(y) = 1. We define and provide a sample construction of a functional pseudorandom function family for the prefixfixing function family. 1
Linearly Homomorphic Signatures over Binary Fields and New Tools for LatticeBased Signatures
, 2010
"... We propose a linearly homomorphic signature scheme that authenticates vector subspaces of a given ambient space. Our system has several novel properties not found in previous proposals: • It is the first such scheme that authenticates vectors defined over binary fields; previous proposals could only ..."
Abstract

Cited by 39 (2 self)
 Add to MetaCart
We propose a linearly homomorphic signature scheme that authenticates vector subspaces of a given ambient space. Our system has several novel properties not found in previous proposals: • It is the first such scheme that authenticates vectors defined over binary fields; previous proposals could only authenticate vectors with large or growing coefficients. • It is the first such scheme based on the problem of finding short vectors in integer lattices, and thus enjoys the worstcase security guarantees common to latticebased cryptosystems. Our scheme can be used to authenticate linear transformations of signed data, such as those arising when computing mean and Fourier transform or in networks that use network coding. Our construction gives an example of a cryptographic primitive — homomorphic signatures over F2 — that can be built using lattice methods, but cannot currently be built using bilinear maps or other traditional algebraic methods based on factoring or discrete log type problems. Security of our scheme (in the random oracle model) is based on a new hard problem on lattices, called kSIS, that reduces to standard averagecase and worstcase lattice problems. Our formulation of the kSIS problem adds to the “toolbox” of latticebased cryptography and may be useful in constructing other latticebased cryptosystems. As a second application of the new kSIS tool, we construct an ordinary signature scheme and prove it ktime unforgeable in the standard model assuming the hardness of the kSIS problem. Our construction can be viewed as “removing the random oracle” from the signatures of Gentry, Peikert, and Vaikuntanathan at the expense of only allowing a small number of signatures.
Making argument systems for outsourced computation practical (sometimes
 In NDSS
, 2012
"... This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these ..."
Abstract

Cited by 35 (6 self)
 Add to MetaCart
(Show Context)
This paper describes the design, implementation, and evaluation of a system for performing verifiable outsourced computation. It has long been known that (1) this problem can be solved in theory using probabilistically checkable proofs (PCPs) coupled with modern cryptographic tools, and (2) these solutions have wholly impractical performance, according to the conventional (and wellfounded) wisdom. Our goal is to challenge (2), with a built system that implements an argument system based on PCPs. We describe a generalpurpose system that builds on work of Ishai et al. (CCC ’07) and incorporates new theoretical work to improve performance by 20 orders of magnitude. The system is (arguably) practical in some cases, suggesting that, as a tool for building secure systems, PCPs are not a lost cause. 1
H.: Knox: PrivacyPreserving Auditing for Shared Data with Large Groups in the Cloud
, 2012
"... Abstract. With cloud computing and storage services, data is not only stored in the cloud, but routinely shared among a large number of users in a group. It remains elusive, however, to design an efficient mechanism to audit the integrity of such shared data, while still preserving identity privacy. ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
(Show Context)
Abstract. With cloud computing and storage services, data is not only stored in the cloud, but routinely shared among a large number of users in a group. It remains elusive, however, to design an efficient mechanism to audit the integrity of such shared data, while still preserving identity privacy. In this paper, we propose Knox, a privacypreserving auditing mechanism for data stored in the cloud and shared among a large number of users in a group. In particular, we utilize group signatures to construct homomorphic authenticators, so that a third party auditor (TPA) is able to verify the integrity of shared data for users without retrieving the entire data. Meanwhile, the identity of the signer on each block in shared data is kept private from the TPA. With Knox, the amount of information used for verification, as well as the time it takes to audit with it, are not affected by the number of users in the group. In addition, Knox exploits homomorphic MACs to reduce the space used to store such verification information. Our experimental results show that Knox is able to efficiently audit the correctness of data, shared among a large number of users.
Taking proofbased verified computation a few steps closer to practicality
 In USENIX Security
, 2012
"... Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
(Show Context)
Abstract. We describe GINGER, a built system for unconditional, generalpurpose, and nearly practical verification of outsourced computation. GINGER is based on PEPPER, which uses the PCP theorem and cryptographic techniques to implement an efficient argument system (a kind of interactive protocol). GINGER slashes the query size and costs via theoretical refinements that are of independent interest; broadens the computational model to include (primitive) floatingpoint fractions, inequality comparisons, logical operations, and conditional control flow; and includes a parallel GPUbased implementation that dramatically reduces latency. 1
Computing blindfolded: New developments in fully homomorphic encryption
 in Foundations of Computer Science (FOCS), 2011 IEEE 52nd Annual Symposium on. IEEE, 2011
"... Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, t ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
Abstract — A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography’s prized “holy grail ” – extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead. 1.
Verifying computations with state
"... When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, ..."
Abstract

Cited by 20 (2 self)
 Add to MetaCart
When outsourcing computations to the cloud or other thirdparties, a key issue for clients is the ability to verify the results. Recent work in proofbased verifiable computation, building on deep results in complexity theory and cryptography, has made significant progress on this problem. However, all existing systems require computational models that do not incorporate state. This limits these systems to simplistic programming idioms and rules out computations where the client cannot materialize all of the input (e.g., very large MapReduce instances or database queries). This paper describes Pantry, the first built system that incorporates state. Pantry composes the machinery of proofbased verifiable computation with ideas from untrusted storage: the client expresses its computation in terms of digests that attests to state, and verifiably outsources that computation. Besides the boon to expressiveness, the client can gain from outsourcing even when the computation is sublinear in the input size. We describe a verifiable MapReduce application and a queriable database, among other simple applications. Although the resulting applications result in server overhead that is higher than we would like, Pantry is the first system to provide verifiability for realistic applications in a realistic programming model. 1
Computing on authenticated data
 In Theory of Cryptography — TCC 2012, Springer LNCS 7194
, 2012
"... In tandem with recent progress on computing on encrypted data via fully homomorphic encryption, we present a framework for computing on authenticated data via the notion of slightly homomorphic signatures, or Phomomorphic signatures. With such signatures, it is possible for a third party to derive ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
In tandem with recent progress on computing on encrypted data via fully homomorphic encryption, we present a framework for computing on authenticated data via the notion of slightly homomorphic signatures, or Phomomorphic signatures. With such signatures, it is possible for a third party to derive a signature on the object m ′ from a signature of m as long as P (m, m ′ ) = 1 for some predicate P which captures the “authenticatable relationship ” between m ′ and m. Moreover, a derived signature on m ′ reveals no extra information about the parent m. Our definition is carefully formulated to provide one unified framework for a variety of distinct concepts in this area, including arithmetic, homomorphic, quotable, redactable, transitive signatures and more. It includes being unable to distinguish a derived signature from a fresh one even when given the original signature. The inability to link derived signatures to their original sources prevents some practical privacy and linking attacks, which is a challenge not satisfied by most prior works. Under this strong definition, we then provide generic constructions for all univariate and closed predicates, and specific efficient constructions for a broad class of natural predicates such as quoting, subsets, weighted sums, averages, and Fourier transforms. To our knowledge, these are the first efficient constructions for these predicates (excluding subsets) that provably satisfy this strong security notion. Supported by NSF, DARPA, and AFOSR. Applying to all authors, the views and conclusions contained in this
Random Oracles in a Quantum World
"... Abstract. The interest in postquantum cryptography — classical systems that remain secure in the presence of a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
Abstract. The interest in postquantum cryptography — classical systems that remain secure in the presence of a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are set in the random oracle model and are proven secure relative to adversaries that have classical access to the random oracle. We argue that to prove postquantum security one needs to prove security in the quantumaccessible random oracle model where the adversary can query the random oracle with quantum state. We begin by separating the classical and quantumaccessible random oracle models by presenting a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which a classical random oracle proof implies security in the quantumaccessible random oracle model. We introduce the concept of a historyfree reduction which is a category of classical random oracle reductions that basically determine oracle answers independently of the history of previous queries, and we prove that such reductions imply security in the quantum model. We then show that certain postquantum proposals, including ones based on lattices, can be proven secure using historyfree reductions and are therefore postquantum secure. We conclude with a rich set of open problems in this area.