175 research outputs found
Tightly Secure Hierarchical Identity-Based Encryption
We construct the first tightly secure hierarchical identity-based encryption (HIBE) scheme based on standard assumptions, which solves an open problem from Blazy, Kiltz, and Pan (CRYPTO 2014). At the core of our constructions is a novel randomization technique that enables us to randomize user secret keys for identities with flexible length.
The security reductions of previous HIBEs lose at least a factor of Q, which is the number of user secret key queries. Different to that, the security loss of our schemes is only dependent on the security parameter. Our schemes are adaptively secure based on the Matrix Diffie-Hellman assumption, which is a generalization of standard Diffie-Hellman assumptions such as k-Linear. We have two tightly secure constructions, one with constant ciphertext size, and the other with tighter security at the cost of linear ciphertext size. Among other things, our schemes imply the first tightly secure identity-based signature scheme by a variant of the Naor transformation
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps
{\em Verifiable computation} (VC) allows a computationally weak client to
outsource the evaluation of a function on many inputs to a powerful but
untrusted server. The client invests a large amount of off-line computation and
gives an encoding of its function to the server. The server returns both an
evaluation of the function on the client's input and a proof such that the
client can verify the evaluation using substantially less effort than doing the
evaluation on its own. We consider how to privately outsource computations
using {\em privacy preserving} VC schemes whose executions reveal no
information on the client's input or function to the server. We construct VC
schemes with {\em input privacy} for univariate polynomial evaluation and
matrix multiplication and then extend them such that the {\em function privacy}
is also achieved. Our tool is the recently developed {mutilinear maps}. The
proposed VC schemes can be used in outsourcing {private information retrieval
(PIR)}.Comment: 23 pages, A preliminary version appears in the 12th International
Conference on Cryptology and Network Security (CANS 2013
Verifiable and Delegatable Constrained Pseudorandom Functions for Unconstrained Inputs
Constrained pseudorandom functions (CPRF) are a fundamental extension of the notion
of traditional pseudorandom functions (PRF). A CPRF enables a master PRF key holder to
issue constrained keys corresponding to specific constraint predicates over the input domain. A
constrained key can be used to evaluate the PRF only on those inputs which are accepted by the
associated constraint predicate. However, the PRF outputs on the rest of the inputs still remain
computationally indistinguishable from uniformly random values. A constrained verifiable pseudorandom
function (CVPRF) enhances a CPRF with a non-interactive public verification mechanism
for checking the correctness of PRF evaluations. A delegatable constrained pseudorandom function
(DCPRF) is another extension which augments a CPRF to empower constrained key holders to delegate
further constrained keys that allow PRF evaluations on inputs accepted by more restricted
constraint predicates compared to ones embedded in their own constrained keys. Until recently,
all the proposed constructions of CPRF’s and their extensions(i) either could handle only bounded
length inputs, (ii) or were based on risky knowledge-type assumptions. In EUROCRYPT 2016,
Deshpande et al. have presented a CPRF construction supporting inputs of unconstrained polynomial
length based on indistinguishability obfuscation and injective pseudorandom generators, which
they have claimed to be selectively secure. In this paper, we first identify a flaw in their security
argument and resolve this by carefully modifying their construction and suitably redesigning the
security proof. Our alteration does not involve any additional heavy duty cryptographic tools. Next,
employing only standard public key encryption (PKE), we extend our CPRF construction, presenting
the first ever CVPRF and DCPRF constructions that can handle inputs of unbounded polynomial
length. Finally, we apply our ideas to demonstrate the first known attribute-based signature (ABS)
scheme for general signing policies supporting signing attributes of arbitrary polynomial length
Puncturable Encryption: A Generic Construction from Delegatable Fully Key-Homomorphic Encryption
Puncturable encryption (PE), proposed by Green and Miers at IEEE S&P 2015, is
a kind of public key encryption that allows recipients to revoke individual
messages by repeatedly updating decryption keys without communicating with
senders. PE is an essential tool for constructing many interesting
applications, such as asynchronous messaging systems, forward-secret zero
round-trip time protocols, public-key watermarking schemes and forward-secret
proxy re-encryptions. This paper revisits PEs from the observation that the
puncturing property can be implemented as efficiently computable functions.
From this view, we propose a generic PE construction from the fully
key-homomorphic encryption, augmented with a key delegation mechanism (DFKHE)
from Boneh et al. at Eurocrypt 2014. We show that our PE construction enjoys
the selective security under chosen plaintext attacks (that can be converted
into the adaptive security with some efficiency loss) from that of DFKHE in the
standard model. Basing on the framework, we obtain the first post-quantum
secure PE instantiation that is based on the learning with errors problem,
selective secure under chosen plaintext attacks (CPA) in the standard model. We
also discuss about the ability of modification our framework to support the
unbounded number of ciphertext tags inspired from the work of Brakerski and
Vaikuntanathan at CRYPTO 2016
Encapsulated Search Index: Public-Key, Sub-linear, Distributed, and Delegatable
We build the first sub-linear (in fact, potentially constant-time) public-key searchable encryption system:
− server can publish a public key .
− anybody can build an encrypted index for document under .
− client holding the index can obtain a token from the server to check if a keyword belongs to .
− search using is almost as fast (e.g., sub-linear) as the non-private search.
− server granting the token does not learn anything about the document , beyond the
keyword .
− yet, the token is specific to the pair : the client does not learn if other keywords belong to , or if w belongs to other, freshly indexed documents .
− server cannot fool the client by giving a wrong token .
We call such a primitive Encapsulated Search Index (ESI). Our ESI scheme can be made - distributed among servers in the best possible way: non-interactive, verifiable, and resilient to any coalition of up to malicious servers. We also introduce the notion of delegatable ESI and show how to extend our construction to this setting.
Our solution — including public indexing, sub-linear search, delegation, and distributed token generation — is deployed as a commercial application by Atakama
Hierarchical Functional Encryption
Functional encryption provides fine-grained access control for encrypted data, allowing each user to learn only specific functions of the encrypted data. We study the notion of hierarchical functional encryption, which augments functional encryption with delegation capabilities, offering significantly more expressive access control.
We present a generic transformation that converts any general-purpose public-key functional encryption scheme into a hierarchical one without relying on any additional assumptions. This significantly refines our understanding of the power of functional encryption, showing that the existence of functional encryption is equivalent to that of its hierarchical generalization.
Instantiating our transformation with the existing functional encryption schemes yields a variety of hierarchical schemes offering various trade-offs between their delegation capabilities (i.e., the depth and width of their hierarchical structures) and underlying assumptions. When starting with a scheme secure against an unbounded number of collusions, we can support arbitrary hierarchical structures. In addition, even when starting with schemes that are secure against a bounded number of collusions (which are known to exist under rather minimal assumptions such as the existence of public-key encryption and shallow pseudorandom generators), we can support hierarchical structures of bounded depth and width
Mitigating Leakage in Secure Cloud-Hosted Data Structures: Volume-Hiding for Multi-Maps via Hashing
Volume leakage has recently been identified as a major threat to the security of cryptographic cloud-based data structures by Kellaris et al. [CCS’16] (see also the attacks in Grubbs et al. [CCS’18] and Lacharité et al. [S&P’18]). In this work, we focus on volume-hiding implementations of encrypted multi-maps as first considered by Kamara and Moataz [Eurocrypt’19]. Encrypted multi-maps consist of outsourcing the storage of a multi-map to an untrusted server, such as a cloud storage system, while maintaining the ability to perform private queries. Volume-hiding encrypted multi-maps ensure that the number of responses (volume) for any query remains hidden from the adversarial server. As a result, volume-hiding schemes can prevent leakage attacks that leverage the adversary’s knowledge of the number of query responses to compromise privacy.
We present both conceptual and algorithmic contributions towards volume-hiding encrypted multi-maps. We introduce the first formal definition of volume-hiding leakage functions. In terms of design, we present the first volume-hiding encrypted multi-map dprfMM whose storage and query complexity are both asymptotically optimal. Furthermore, we experimentally show that our construction is practically efficient. Our server storage is smaller than the best previous construction while we improve query complexity by a factor of 10-16x.
In addition, we introduce the notion of differentially private volume-hiding leakage functions which strikes a better, tunable balance between privacy and efficiency. To accompany our new notion, we present a differentially private volume-hiding encrypted multi-map dpMM whose query complexity is the volume of the queried key plus an additional logarithmic factor. This is a significant improvement compared to all previous volume-hiding schemes whose query overhead was the maximum volume of any key. In natural settings, our construction improves the average query overhead by a factor of 150-240x over the previous best volume-hiding construction even when considering small privacy budget of
Constant-Round Concurrent Zero-knowledge from Indistinguishability Obfuscation
We present a constant-round concurrent zero-knowledge protocol for NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for P/poly (with slightly super-polynomial security)
Constrained Pseudorandom Functions: Verifiable and Delegatable
Constrained pseudorandom functions (introduced independently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key to compute a constrained key , such that anyone who possesses can compute the output of the PRF on any input such that for some predicate . The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any such that .
Boneh and Waters show how to construct constrained PRFs for the class of bit-fixing as well as circuit predicates. They explicitly left open the question of constructing constrained PRFs that are delegatable - i.e., constrained PRFs where the owner of can compute a constrained key
for a further restrictive predicate . Boyle, Goldwasser, and Ivan left open the question of constructing constrained PRFs that are also verifiable. Verifiable random functions (VRFs), introduced by Micali, Rabin, and Vadhan (FOCS 1999), are PRFs that allow the owner of the
secret key to prove, for any input , that indeed is the output of the PRF on ; the security requirement of VRFs state that the PRF output must still look indistinguishable from random, for any for which a proof is not given.
In this work, we solve both the above open questions by constructing constrained pseudorandom functions that are simultaneously verifiable and delegatable
Functional Encryption: Decentralised and Delegatable
Recent advances in encryption schemes have allowed us to go far beyond point to point encryption, the scenario typically envisioned in public key encryption. In particular, Functional Encryption (FE) allows an authority to provide users with keys corresponding to various functions, such that a user with a secret key corresponding to a function , can compute (and only that) from a cipher-text that encrypts .
While FE is a very powerful primitive, a key downside is the requirement of a central point of trust. FE requires the assumption of a central trusted authority which performs the system setup as well as manages the credentials of every party in the system on an ongoing basis. This is in contrast to public key infrastructure which may have multiple certificate authorities and allows a party to have different (and varying) level of trust in them.
\\ \\
In this work, we address this issue of trust in two ways:
\begin{itemize}
\item First, we ask how realistic it is to have a central authority that manages all credentials and is trusted by everyone? For example, one may need to either obtain the permission of an income tax official or the permission of the police department and a court judge in order to be able to obtain specific financial information of a user from encrypted financial data. Towards that end, we introduce a new primitive that we call {\em Multi-Authority Functional Encryption} (MAFE) as a generalization of both Functional Encryption and Multi-Authority Attribute-Based Encryption (MABE). We show how to obtain MAFE for arbitrary polynomial-time computations based on
subexponentially secure indistinguishability obfuscation and injective one-way functions.
\item Second, we consider the notion of \emph{delegatable} functional encryption where any user in the system may independently act as a key generation authority. In delegatable FE, any user may derive a decryption key for a policy which is ``more restrictive than its own. Thus, in delegatable functional encryption, keys
can be generated in a hierarchical way, instead of directly by a central authority. In contrast to MAFE, however, in a delegatable FE scheme, the trust still ``flows\u27\u27 outward from the central authority.
\end{itemize}
Finally, we remark that our techniques are of independent interest: we construct FE in arguably a more natural way where a decryption key for a function is simply a signature on . Such a direct approach allows us to obtain a construction with interesting properties enabling multiple authorities as well as delegation
- …