14,318 research outputs found
From Minicrypt to Obfustopia via Private-Key Functional Encryption
Private-key functional encryption enables fine-grained access to symmetrically-encrypted data. Although private-key functional encryption (supporting an unbounded number of keys and ciphertexts) seems significantly weaker than its public-key variant, its known realizations all rely on public-key functional encryption. At the same time, however, up until recently it was not known to imply any public-key primitive, demonstrating our poor understanding of this extremely-useful primitive.
Recently, Bitansky et al. [TCC \u2716B] showed that sub-exponentially-secure private-key function encryption bridges from nearly-exponential security in Minicrypt to slightly super-polynomial security in Cryptomania, and from sub-exponential security in Cryptomania to Obfustopia. Specifically, given any sub-exponentially-secure private-key functional encryption scheme and a nearly-exponentially-secure one-way function, they constructed a public-key encryption scheme with slightly super-polynomial security. Assuming, in addition, a sub-exponentially-secure public-key encryption scheme, they then constructed an indistinguishability obfuscator.
We settle the problem of positioning private-key functional encryption within the hierarchy of cryptographic primitives by placing it in Obfustopia. First, given any quasi-polynomially-secure private-key functional encryption scheme, we construct an indistinguishability obfuscator for circuits with inputs of poly-logarithmic length. Then, we observe that such an obfuscator can be used to instantiate many natural applications of indistinguishability obfuscation. Specifically, relying on sub-exponentially-secure one-way functions, we show that quasi-polynomially-secure private-key functional encryption implies not just public-key encryption but leads all the way to public-key functional encryption for circuits with inputs of poly-logarithmic length. Moreover, relying on sub-exponentially-secure injective one-way functions, we show that quasi-polynomially-secure private-key functional encryption implies a hard-on-average distribution over instances of a PPAD-complete problem.
Underlying our constructions is a new transformation from single-input functional encryption to multi-input functional encryption in the private-key setting. The previously known such transformation [Brakerski et al., EUROCRYPT \u2716] required a sub-exponentially-secure single-input scheme, and obtained a scheme supporting only a slightly super-constant number of inputs. Our transformation both relaxes the underlying assumption and supports more inputs: Given any quasi-polynomially-secure single-input scheme, we obtain a scheme supporting a poly-logarithmic number of inputs
Functional encryption: definitional foundations and multiparty transformations
Classical cryptographic primitives do not allow for any fine-grained access control over encrypted
data. From an encryption of some data x, a decryptor, who is in possession of a decryption key,
can either obtain the whole data x or nothing. The notion of functional encryption overcomes
this drawback and enables access control over encrypted data. In this setting, a setup generator is
responsible for generating the public parameters and, so-called, functional keys. These functional
keys are decryption keys that are associated with a function f such that, when used in the
decryption procedure, the decryptor obtains f(x), which is the result of the function f applied
to the encrypted data x.
The standard security definition of functional encryption prevents a malicious decryptor from
learning more about the encrypted data than what can be obtained from the functional keys it
owns. In this thesis, we introduce the notion of consistency, a security definition that protects an
honest decryptor against a malicious encryptor and/or setup generator. We formally introduce
this notion using different security games and show that our notions are completely separated
from existing confidentiality notions. Additionally, we analyze existing schemes and show how
they can be modified to achieve consistency. Furthermore, we construct black-box compilers that
turn any functional encryption scheme into a consistent one. Finally, we also analyze consistency
in the universal composability (UC) framework and show that the consistency games imply UC
security.
A more general notion of functional encryption is the notion of multi-client functional
encryption, which allows a decryptor to evaluate multi-input functions on multiple ciphertexts
generated by several different clients. This notion also requires a setup generator that generates
the encryption keys for the different clients as well as the functional keys for the decryptor. A
corrupted setup generator is able to compromise the privacy of all the clients in the system
by generating arbitrary functional keys. To remove this single point of failure, the notion of
decentralized multi-client functional encryption has been introduced. In a decentralized multi-client functional encryption scheme the participating clients in the system are responsible for the
generation of the encryption and functional keys.
In this thesis, we present a compiler that decentralizes any multi-client functional encryption
scheme for inner-products, that fulfills certain properties. Furthermore, we show that we can
construct a (decentralized) multi-client functional encryption scheme for separable functions,
n-input functions that can be written as the sum of n single-input functions, from any general-purpose single-input functional encryption scheme.
An interactive version of multi-client functional encryption is the notion of multiparty
computation. In multiparty computation several parties can jointly compute a function involving
their private inputs by interacting in multiple rounds of communication.
We show how we can use functional encryption to amplify existing multiparty computation
protocols in terms of their communication complexity. In more detail, we show how to turn a
multiparty computation protocol with arbitrary communication complexity into a multiparty
computation protocol with a communication complexity only depending on the depth of the circuit
that is being computed, while preserving the number of rounds of interaction of the protocol.
Furthermore, we present an improved compiler that relies on fully homomorphic encryption, a
cryptographic notion that allows for the oblivious evaluation of functions on encrypted data,
where the communication complexity of the amplified protocol is completely independent of the
circuit that is being computed
Ad Hoc Multi-Input Functional Encryption
Consider sources that supply sensitive data to an aggregator. Standard encryption only hides the data from eavesdroppers, but using specialized encryption one can hope to hide the data (to the extent possible) from the aggregator itself. For flexibility and security, we envision schemes that allow sources to supply encrypted data, such that at any point a dynamically-chosen subset of sources can allow an agreed-upon joint function of their data to be computed by the aggregator. A primitive called multi-input functional encryption (MIFE), due to Goldwasser et al. (EUROCRYPT 2014), comes close, but has two main limitations:
- it requires trust in a third party, who is able to decrypt all the data, and
- it requires function arity to be fixed at setup time and to be equal to the number of parties.
To drop these limitations, we introduce a new notion of ad hoc MIFE. In our setting, each source generates its own public key and issues individual, function-specific secret keys to an aggregator. For successful decryption, an aggregator must obtain a separate key from each source whose ciphertext is being computed upon. The aggregator could obtain multiple such secret-keys from a user corresponding to functions of varying arity. For this primitive, we obtain the following results:
- We show that standard MIFE for general functions can be bootstrapped to ad hoc MIFE for free, i.e. without making any additional assumption.
- We provide a direct construction of ad hoc MIFE for the inner product functionality based on the Learning with Errors (LWE) assumption. This yields the first construction of this natural primitive based on a standard assumption.
At a technical level, our results are obtained by combining standard MIFE schemes and two-round secure multiparty computation (MPC) protocols in novel ways highlighting an interesting interplay between MIFE and two-round MPC
Order-Revealing Encryption and the Hardness of Private Learning
An order-revealing encryption scheme gives a public procedure by which two
ciphertexts can be compared to reveal the ordering of their underlying
plaintexts. We show how to use order-revealing encryption to separate
computationally efficient PAC learning from efficient -differentially private PAC learning. That is, we construct a concept
class that is efficiently PAC learnable, but for which every efficient learner
fails to be differentially private. This answers a question of Kasiviswanathan
et al. (FOCS '08, SIAM J. Comput. '11).
To prove our result, we give a generic transformation from an order-revealing
encryption scheme into one with strongly correct comparison, which enables the
consistent comparison of ciphertexts that are not obtained as the valid
encryption of any message. We believe this construction may be of independent
interest.Comment: 28 page
- …