Order-Revealing Encryption and the Hardness of Private Learning

An order-revealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use order-revealing encryption to separate computationally efficient PAC learning from efficient $(\epsilon, \delta)$-differentially private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially private. This answers a question of Kasiviswanathan et al. (FOCS '08, SIAM J. Comput. '11). To prove our result, we give a generic transformation from an order-revealing encryption scheme into one with strongly correct comparison, which enables the consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest.Comment: 28 page

Multi-Client Functional Encryption for Separable Functions

In this work, we provide a compiler that transforms a single-input functional encryption scheme for the class of polynomially bounded circuits into a multi-client functional encryption (MCFE) scheme for the class of separable functions. An n-input function f is called separable if it can be described as a list of polynomially bounded circuits f^1, ... , f^n s.t. f(x_1, ... , x_n)= f^1(x_1)+ ... + f^n(x_n) for all x_1 ,... , x_n. Our compiler extends the works of Brakerski et al. [Eurocrypt 2016] and of Komargodski et al. [Eurocrypt 2017] in which a generic compiler is proposed to obtain multi-input functional encryption (MIFE) from single-input functional encryption. Our construction achieves the stronger notion of MCFE but for the less generic class of separable functions. Prior to our work, a long line of results has been proposed in the setting of MCFE for the inner-product functionality, which is a special case of a separable function. We also propose a modified version of the notion of decentralized MCFE introduced by Chotard et al. [Asiacrypt 2018] that we call outsourceable mulit-client functional encryption (OMCFE). Intuitively, the notion of OMCFE makes it possible to distribute the load of the decryption procedure among at most n different entities, which will return decryption shares that can be combined (e.g., additively) thus obtaining the output of the computation. This notion is especially useful in the case of a very resource consuming decryption procedure, while the combine algorithm is non-time consuming. We also show how to extend the presented MCFE protocol to obtain an OMCFE scheme for the same functionality class

Making Public Key Functional Encryption Function Private, Distributively

We put forth a new notion of distributed public key functional encryption. In such a functional encryption scheme, the secret key for a function $f$ will be split into shares $sk_i^f$. Given a ciphertext $ct$ that encrypts a message $x$, a secret key share $sk_i^f$, one can evaluate and obtain a shared value $y_i$. Adding all the shares up can recover the actual value of $f(x)$, while partial shares reveal nothing about the plaintext. More importantly, this new model allows us to establish {\em function privacy} which was not possible in the setting of regular public key functional encryption. We formalize such notion and construct such a scheme from any public key functional encryption scheme together with learning with error assumption. We then consider the problem of hosting services in the untrusted cloud. Boneh, Gupta, Mironov, and Sahai (Eurocrypt 2014) first studied such application and gave a construction based on indistinguishability obfuscation. Their construction had the restriction that the number of corrupted clients has to be bounded and known. They left an open problem how to remove such restriction. We resolve this problem by applying our function private (distributed) public key functional encryption to the setting of hosting service in multiple clouds. Furthermore, our construction provides a much simpler and more flexible paradigm which is of both conceptual and practical interests. Along the way, we strengthen and simplify the security notions of the underlying primitives, including function secret sharing

Functional Encryption for Inner Product with Full Function Privacy

Functional encryption (FE) supports constrained decryption keys that allow decrypters to learn specific functions of encrypted messages. In numerous practical applications of FE, confidentiality must be assured not only for the encrypted data but also for the functions for which functional keys are provided. This paper presents a non-generic simple private key FE scheme for the inner product functionality, also known as inner product encryption (IPE). In contrast to the existing similar schemes, our construction achieves the strongest indistinguishability-based notion of function privacy in the private key setting without employing any computationally expensive cryptographic tool or non-standard complexity assumption. Our construction is built in the asymmetric bilinear pairing group setting of prime order. The security of our scheme is based on the well-studied Symmetric External Diffie-Hellman (SXDH) assumption

On the power of Public-key Functional Encryption with Function Privacy

In the public-key setting, known constructions of function-private functional encryption (FPFE) were limited to very restricted classes of functionalities like inner-product [Agrawal et al. - PKC 2015]. Moreover, its power has not been well investigated. In this paper, we construct FPFE for general functions and explore its powerful applications (both for general functions and for specific efficient instantiations). As warmup, we construct from FPFE a natural generalization of a signature scheme endowed with functional properties, that we call functional anonymous signature (FAS) scheme. In a FAS, Alice can sign a circuit $C$ chosen from some distribution $D$ to get a signature $\sigma$ and can publish a verification key that allows anybody holding a message $m$ to verify that (1) $\sigma$ is a valid signature of Alice for some (possibly unknown to him) circuit $C$ and (2) $C(m)=1$. Beyond unforgeability the security of FAS guarantees that the signature $\sigma$ hide as much information as possible about $C$ except what can be inferred from knowledge of $D$. Then, we show that FPFE can be used to construct in a black-box way functional encryption schemes for randomized functionalities (RFE). Previous constructions of (public-key) RFE relied on iO [Goyal et al. - TCC 2015]. As further application, we show that efficient instantiations of FPFE can be used to achieve adaptively-secure CNF/DNF encryption for bounded degree formulae (BoolEnc). Though it was known how to implement BoolEnc from inner-product encryption [Katz et al. - EUROCRYPT 2008], as already observed by Katz et al. this reduction only works for selective security and completely breaks down for adaptive security. For this application we only need weak assumptions and the resulting adaptively-secure BoolEnc scheme is efficient. Finally, we present a general picture of the relations among all these related primitives. One key observation is that Attribute-based Encryption with function privacy implies FE, a notable fact that sheds light on the importance of the function privacy property for FE

Hardness of Non-Interactive Differential Privacy from One-Way Functions

A central challenge in differential privacy is to design computationally efficient non-interactive algorithms that can answer large numbers of statistical queries on a sensitive dataset. That is, we would like to design a differentially private algorithm that takes a dataset $D \in X^n$ consisting of some small number of elements $n$ from some large data universe $X$, and efficiently outputs a summary that allows a user to efficiently obtain an answer to any query in some large family $Q$. Ignoring computational constraints, this problem can be solved even when $X$ and $Q$ are exponentially large and $n$ is just a small polynomial; however, all algorithms with remotely similar guarantees run in exponential time. There have been several results showing that, under the strong assumption of indistinguishability obfuscation (iO), no efficient differentially private algorithm exists when $X$ and $Q$ can be exponentially large. However, there are no strong separations between information-theoretic and computationally efficient differentially private algorithms under any standard complexity assumption. In this work we show that, if one-way functions exist, there is no general purpose differentially private algorithm that works when $X$ and $Q$ are exponentially large, and $n$ is an arbitrary polynomial. In fact, we show that this result holds even if $X$ is just subexponentially large (assuming only polynomially-hard one-way functions). This result solves an open problem posed by Vadhan in his recent survey

Two-Input Functional Encryption for Inner Products from Bilinear Maps

Functional encryption is a new paradigm of public-key encryption that allows a user to compute $f(x)$ on encrypted data $CT(x)$ with a private key $SK_f$ to finely control the revealed information. Multi-input functional encryption is an important extension of (single-input) functional encryption that allows the computation $f(x_1, \ldots, x_n)$ on multiple ciphertexts $CT(x_1), \ldots, CT(x_n)$ with a private key $SK_f$. Although multi-input functional encryption has many interesting applications like running SQL queries on encrypted database and computation on encrypted stream, current candidates are not yet practical since many of them are built on indistinguishability obfuscation. To solve this unsatisfactory situation, we show that practical two-input functional encryption schemes for inner products can be built based on bilinear maps. In this paper, we first propose a two-input functional encryption scheme for inner products in composite-order bilinear groups and prove its selective IND-security under simple assumptions. Next, we propose a two-client functional encryption scheme for inner products where each ciphertext can be associated with a time period and prove its selective IND-security. Furthermore, we show that our two-input functional encryption schemes in composite-order bilinear groups can be converted into schemes in prime-order asymmetric bilinear groups by using the asymmetric property of asymmetric bilinear groups

Order-Revealing Encryption and the Hardness of Private Learning

An order-revealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying plaintexts. We show how to use order-revealing encryption to separate computationally efficient PAC learning from efficient $(\epsilon, \delta)$-differentially private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially private. This answers a question of Kasiviswanathan et al. (FOCS \u2708, SIAM J. Comput. \u2711). To prove our result, we give a generic transformation from an order-revealing encryption scheme into one with strongly correct comparison, which enables the consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest

Homomorphic Indistinguishability Obfuscation and its Applications

In this work, we propose the notion of homomorphic indistinguishability obfuscation ($\mathsf{HiO}$) and present a construction based on subexponentially-secure $\mathsf{iO}$ and one-way functions. An $\mathsf{HiO}$ scheme allows us to convert an obfuscation of circuit $C$ to an obfuscation of $C\u27\circ C$, and this can be performed obliviously (that is, without knowing the circuit $C$). A naive solution would be to obfuscate $C\u27 \circ \mathsf{iO}(C)$. However, if we do this for $k$ hops, then the size of the final obfuscation is exponential in $k$. $\mathsf{HiO}$ ensures that the size of the final obfuscation remains polynomial after repeated compositions. As an application, we show how to build function-hiding hierarchical multi-input functional encryption and homomorphic witness encryption using $\mathsf{HiO}$