175 research outputs found

    Tightly Secure Hierarchical Identity-Based Encryption

    Get PDF
    We construct the first tightly secure hierarchical identity-based encryption (HIBE) scheme based on standard assumptions, which solves an open problem from Blazy, Kiltz, and Pan (CRYPTO 2014). At the core of our constructions is a novel randomization technique that enables us to randomize user secret keys for identities with flexible length. The security reductions of previous HIBEs lose at least a factor of Q, which is the number of user secret key queries. Different to that, the security loss of our schemes is only dependent on the security parameter. Our schemes are adaptively secure based on the Matrix Diffie-Hellman assumption, which is a generalization of standard Diffie-Hellman assumptions such as k-Linear. We have two tightly secure constructions, one with constant ciphertext size, and the other with tighter security at the cost of linear ciphertext size. Among other things, our schemes imply the first tightly secure identity-based signature scheme by a variant of the Naor transformation

    Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps

    Full text link
    {\em Verifiable computation} (VC) allows a computationally weak client to outsource the evaluation of a function on many inputs to a powerful but untrusted server. The client invests a large amount of off-line computation and gives an encoding of its function to the server. The server returns both an evaluation of the function on the client's input and a proof such that the client can verify the evaluation using substantially less effort than doing the evaluation on its own. We consider how to privately outsource computations using {\em privacy preserving} VC schemes whose executions reveal no information on the client's input or function to the server. We construct VC schemes with {\em input privacy} for univariate polynomial evaluation and matrix multiplication and then extend them such that the {\em function privacy} is also achieved. Our tool is the recently developed {mutilinear maps}. The proposed VC schemes can be used in outsourcing {private information retrieval (PIR)}.Comment: 23 pages, A preliminary version appears in the 12th International Conference on Cryptology and Network Security (CANS 2013

    Verifiable and Delegatable Constrained Pseudorandom Functions for Unconstrained Inputs

    Get PDF
    Constrained pseudorandom functions (CPRF) are a fundamental extension of the notion of traditional pseudorandom functions (PRF). A CPRF enables a master PRF key holder to issue constrained keys corresponding to specific constraint predicates over the input domain. A constrained key can be used to evaluate the PRF only on those inputs which are accepted by the associated constraint predicate. However, the PRF outputs on the rest of the inputs still remain computationally indistinguishable from uniformly random values. A constrained verifiable pseudorandom function (CVPRF) enhances a CPRF with a non-interactive public verification mechanism for checking the correctness of PRF evaluations. A delegatable constrained pseudorandom function (DCPRF) is another extension which augments a CPRF to empower constrained key holders to delegate further constrained keys that allow PRF evaluations on inputs accepted by more restricted constraint predicates compared to ones embedded in their own constrained keys. Until recently, all the proposed constructions of CPRF’s and their extensions(i) either could handle only bounded length inputs, (ii) or were based on risky knowledge-type assumptions. In EUROCRYPT 2016, Deshpande et al. have presented a CPRF construction supporting inputs of unconstrained polynomial length based on indistinguishability obfuscation and injective pseudorandom generators, which they have claimed to be selectively secure. In this paper, we first identify a flaw in their security argument and resolve this by carefully modifying their construction and suitably redesigning the security proof. Our alteration does not involve any additional heavy duty cryptographic tools. Next, employing only standard public key encryption (PKE), we extend our CPRF construction, presenting the first ever CVPRF and DCPRF constructions that can handle inputs of unbounded polynomial length. Finally, we apply our ideas to demonstrate the first known attribute-based signature (ABS) scheme for general signing policies supporting signing attributes of arbitrary polynomial length

    Puncturable Encryption: A Generic Construction from Delegatable Fully Key-Homomorphic Encryption

    Get PDF
    Puncturable encryption (PE), proposed by Green and Miers at IEEE S&P 2015, is a kind of public key encryption that allows recipients to revoke individual messages by repeatedly updating decryption keys without communicating with senders. PE is an essential tool for constructing many interesting applications, such as asynchronous messaging systems, forward-secret zero round-trip time protocols, public-key watermarking schemes and forward-secret proxy re-encryptions. This paper revisits PEs from the observation that the puncturing property can be implemented as efficiently computable functions. From this view, we propose a generic PE construction from the fully key-homomorphic encryption, augmented with a key delegation mechanism (DFKHE) from Boneh et al. at Eurocrypt 2014. We show that our PE construction enjoys the selective security under chosen plaintext attacks (that can be converted into the adaptive security with some efficiency loss) from that of DFKHE in the standard model. Basing on the framework, we obtain the first post-quantum secure PE instantiation that is based on the learning with errors problem, selective secure under chosen plaintext attacks (CPA) in the standard model. We also discuss about the ability of modification our framework to support the unbounded number of ciphertext tags inspired from the work of Brakerski and Vaikuntanathan at CRYPTO 2016

    Encapsulated Search Index: Public-Key, Sub-linear, Distributed, and Delegatable

    Get PDF
    We build the first sub-linear (in fact, potentially constant-time) public-key searchable encryption system: − server can publish a public key PKPK. − anybody can build an encrypted index for document DD under PKPK. − client holding the index can obtain a token zwz_w from the server to check if a keyword ww belongs to DD. − search using zwz_w is almost as fast (e.g., sub-linear) as the non-private search. − server granting the token does not learn anything about the document DD, beyond the keyword ww. − yet, the token zwz_w is specific to the pair (D,w)(D, w): the client does not learn if other keywords w2˘7≠ww\u27\neq w belong to DD, or if w belongs to other, freshly indexed documents D2˘7D\u27. − server cannot fool the client by giving a wrong token zwz_w. We call such a primitive Encapsulated Search Index (ESI). Our ESI scheme can be made (t,n)(t, n)- distributed among nn servers in the best possible way: non-interactive, verifiable, and resilient to any coalition of up to (t−1)(t − 1) malicious servers. We also introduce the notion of delegatable ESI and show how to extend our construction to this setting. Our solution — including public indexing, sub-linear search, delegation, and distributed token generation — is deployed as a commercial application by Atakama

    Hierarchical Functional Encryption

    Get PDF
    Functional encryption provides fine-grained access control for encrypted data, allowing each user to learn only specific functions of the encrypted data. We study the notion of hierarchical functional encryption, which augments functional encryption with delegation capabilities, offering significantly more expressive access control. We present a generic transformation that converts any general-purpose public-key functional encryption scheme into a hierarchical one without relying on any additional assumptions. This significantly refines our understanding of the power of functional encryption, showing that the existence of functional encryption is equivalent to that of its hierarchical generalization. Instantiating our transformation with the existing functional encryption schemes yields a variety of hierarchical schemes offering various trade-offs between their delegation capabilities (i.e., the depth and width of their hierarchical structures) and underlying assumptions. When starting with a scheme secure against an unbounded number of collusions, we can support arbitrary hierarchical structures. In addition, even when starting with schemes that are secure against a bounded number of collusions (which are known to exist under rather minimal assumptions such as the existence of public-key encryption and shallow pseudorandom generators), we can support hierarchical structures of bounded depth and width

    Mitigating Leakage in Secure Cloud-Hosted Data Structures: Volume-Hiding for Multi-Maps via Hashing

    Get PDF
    Volume leakage has recently been identified as a major threat to the security of cryptographic cloud-based data structures by Kellaris et al. [CCS’16] (see also the attacks in Grubbs et al. [CCS’18] and Lacharité et al. [S&P’18]). In this work, we focus on volume-hiding implementations of encrypted multi-maps as first considered by Kamara and Moataz [Eurocrypt’19]. Encrypted multi-maps consist of outsourcing the storage of a multi-map to an untrusted server, such as a cloud storage system, while maintaining the ability to perform private queries. Volume-hiding encrypted multi-maps ensure that the number of responses (volume) for any query remains hidden from the adversarial server. As a result, volume-hiding schemes can prevent leakage attacks that leverage the adversary’s knowledge of the number of query responses to compromise privacy. We present both conceptual and algorithmic contributions towards volume-hiding encrypted multi-maps. We introduce the first formal definition of volume-hiding leakage functions. In terms of design, we present the first volume-hiding encrypted multi-map dprfMM whose storage and query complexity are both asymptotically optimal. Furthermore, we experimentally show that our construction is practically efficient. Our server storage is smaller than the best previous construction while we improve query complexity by a factor of 10-16x. In addition, we introduce the notion of differentially private volume-hiding leakage functions which strikes a better, tunable balance between privacy and efficiency. To accompany our new notion, we present a differentially private volume-hiding encrypted multi-map dpMM whose query complexity is the volume of the queried key plus an additional logarithmic factor. This is a significant improvement compared to all previous volume-hiding schemes whose query overhead was the maximum volume of any key. In natural settings, our construction improves the average query overhead by a factor of 150-240x over the previous best volume-hiding construction even when considering small privacy budget of ϵ=0.2\epsilon = 0.2

    Constant-Round Concurrent Zero-knowledge from Indistinguishability Obfuscation

    Get PDF
    We present a constant-round concurrent zero-knowledge protocol for NP. Our protocol relies on the existence of families of collision-resistant hash functions, one-way permutations, and indistinguishability obfuscators for P/poly (with slightly super-polynomial security)

    Constrained Pseudorandom Functions: Verifiable and Delegatable

    Get PDF
    Constrained pseudorandom functions (introduced independently by Boneh and Waters (CCS 2013), Boyle, Goldwasser, and Ivan (PKC 2014), and Kiayias, Papadopoulos, Triandopoulos, and Zacharias (CCS 2013)), are pseudorandom functions (PRFs) that allow the owner of the secret key kk to compute a constrained key kfk_f, such that anyone who possesses kfk_f can compute the output of the PRF on any input xx such that f(x)=1f(x) = 1 for some predicate ff. The security requirement of constrained PRFs state that the PRF output must still look indistinguishable from random for any xx such that f(x)=0f(x) = 0. Boneh and Waters show how to construct constrained PRFs for the class of bit-fixing as well as circuit predicates. They explicitly left open the question of constructing constrained PRFs that are delegatable - i.e., constrained PRFs where the owner of kfk_f can compute a constrained key kf2˘7k_{f\u27} for a further restrictive predicate f2˘7f\u27. Boyle, Goldwasser, and Ivan left open the question of constructing constrained PRFs that are also verifiable. Verifiable random functions (VRFs), introduced by Micali, Rabin, and Vadhan (FOCS 1999), are PRFs that allow the owner of the secret key kk to prove, for any input xx, that yy indeed is the output of the PRF on xx; the security requirement of VRFs state that the PRF output must still look indistinguishable from random, for any xx for which a proof is not given. In this work, we solve both the above open questions by constructing constrained pseudorandom functions that are simultaneously verifiable and delegatable

    Functional Encryption: Decentralised and Delegatable

    Get PDF
    Recent advances in encryption schemes have allowed us to go far beyond point to point encryption, the scenario typically envisioned in public key encryption. In particular, Functional Encryption (FE) allows an authority to provide users with keys corresponding to various functions, such that a user with a secret key corresponding to a function ff, can compute f(m)f(m) (and only that) from a cipher-text that encrypts mm. While FE is a very powerful primitive, a key downside is the requirement of a central point of trust. FE requires the assumption of a central trusted authority which performs the system setup as well as manages the credentials of every party in the system on an ongoing basis. This is in contrast to public key infrastructure which may have multiple certificate authorities and allows a party to have different (and varying) level of trust in them. \\ \\ In this work, we address this issue of trust in two ways: \begin{itemize} \item First, we ask how realistic it is to have a central authority that manages all credentials and is trusted by everyone? For example, one may need to either obtain the permission of an income tax official or the permission of the police department and a court judge in order to be able to obtain specific financial information of a user from encrypted financial data. Towards that end, we introduce a new primitive that we call {\em Multi-Authority Functional Encryption} (MAFE) as a generalization of both Functional Encryption and Multi-Authority Attribute-Based Encryption (MABE). We show how to obtain MAFE for arbitrary polynomial-time computations based on subexponentially secure indistinguishability obfuscation and injective one-way functions. \item Second, we consider the notion of \emph{delegatable} functional encryption where any user in the system may independently act as a key generation authority. In delegatable FE, any user may derive a decryption key for a policy which is ``more restrictive than its own. Thus, in delegatable functional encryption, keys can be generated in a hierarchical way, instead of directly by a central authority. In contrast to MAFE, however, in a delegatable FE scheme, the trust still ``flows\u27\u27 outward from the central authority. \end{itemize} Finally, we remark that our techniques are of independent interest: we construct FE in arguably a more natural way where a decryption key for a function ff is simply a signature on ff. Such a direct approach allows us to obtain a construction with interesting properties enabling multiple authorities as well as delegation
    • …
    corecore