64 research outputs found
On Perfect Correctness in (Lockable) Obfuscation
In a lockable obfuscation scheme a party takes as input a program , a lock value , a message and produces an obfuscated program . The obfuscated program can be evaluated on an input to learn the message if . The security of such schemes states that if is randomly chosen (independent of and ), then one cannot distinguish an obfuscation of from a ``dummy\u27\u27 obfuscation.
Existing constructions of lockable obfuscation achieve provable security under the Learning with Errors assumption. One limitation of these constructions is that they achieve only statistical correctness and allow for a possible one sided error where the obfuscated program could output the on some value where .
In this work we motivate the problem of studying perfect correctness in lockable obfuscation for the case where the party performing the obfuscation might wish to inject a backdoor or hole in correctness. We begin by studying the existing constructions and identify two components that are susceptible to imperfect correctness. The first is in the LWE-based pseudo random generators (PRGs) that are non-injective, while the second is in the last level testing procedure of the core constructions.
We address each in turn. First, we build upon previous work to design injective PRGs that are provably secure from the LWE assumption. Next, we design an alternative last level testing procedure that has additional structure to prevent correctness errors. We then provide a surgical proof of security (to avoid redundancy) that connects our construction to the construction by Goyal, Koppula, and Waters (GKW). Specifically, we show how for a random value an obfuscation under our new construction is indistinguishable from an obfuscation under the existing GKW construction
Lockable Obfuscation
In this paper we introduce the notion of lockable obfuscation. In a lockable obfuscation scheme there exists an obfuscation algorithm that takes as input a security parameter , a program , a message and ``lock value\u27\u27 and outputs an obfuscated program . One can evaluate the obfuscated program on any input where the output of evaluation is the message if and otherwise receives a rejecting symbol .
We proceed to provide a construction of lockable obfuscation and prove it secure under the Learning with Errors (LWE) assumption. Notably, our proof only requires LWE with polynomial hardness and does not require complexity leveraging.
We follow this by describing multiple applications of lockable obfuscation. First, we show how to transform any attribute-based encryption (ABE) scheme into one in which the attributes used to encrypt the message are hidden from any user that is not authorized to decrypt the message. (Such a system is also know as predicate encryption with one-sided security.) The only previous construction due to Gorbunov, Vaikuntanathan and Wee is based off of a specific ABE scheme of Boneh et al. By enabling the transformation of any ABE scheme we can inherent different forms and features of the underlying scheme such as: multi-authority, adaptive security from polynomial hardness, regular language policies, etc.
We also show applications of lockable obfuscation to separation and uninstantiability results. We first show how to create new separation results in circular encryption that were previously based on indistinguishability obfuscation. This results in new separation results from learning with error including a public key bit encryption scheme that it IND-CPA secure and not circular secure. The tool of lockable obfuscation allows these constructions to be almost immediately realized by translation from previous indistinguishability obfuscation based constructions.
In a similar vein we provide random oracle uninstantiability results of the Fujisaki-Okamoto transformation (and related transformations) from the lockable obfuscation combined with fully homomorphic encryption. Again, we take advantage that previous work used indistinguishability obfuscation that obfuscated programs in a form that could easily be translated to lockable obfuscation
Secure Quantum Extraction Protocols
Knowledge extraction, typically studied in the classical setting, is at the
heart of several cryptographic protocols. We introduce the notion of secure
quantum extraction protocols. A secure quantum extraction protocol for an NP
relation is a classical interactive protocol between a sender and
a receiver, where the sender gets the instance and a witness , while the
receiver only gets the instance . For any efficient quantum adversarial
sender (who follows the protocol but can choose its own randomness), there
exists a quantum extractor that can extract a witness such that while a malicious receiver should not be able to output any
valid witness. We study and construct two types of secure quantum extraction
protocols.
(1) Quantum extraction protocols secure against quantum malicious receivers
based on quantum fully homomorphic encryption satisfying some mild properties
and quantum hardness of learning with errors. In this construction, we
introduce a non black box technique in the quantum setting. All previous
extraction techniques in the quantum setting were solely based on quantum
rewinding.
(2) Quantum extraction protocols secure against classical malicious receivers
based on quantum hardness of learning with errors.
As an application, based on the quantum hardness of learning with errors, we
present a construction of constant round quantum zero-knowledge argument
systems for NP that guarantee security even against quantum malicious
verifiers; however, our soundness only holds against classical probabilistic
polynomial time adversaries. Prior to our work, such protocols were known
based, additionally, on the assumptions of decisional Diffie-Hellman (or other
cryptographic assumptions that do not hold against polynomial time quantum
algorithms).Comment: Accepted at TCC 202
Witness Encryption from Garbled Circuit and Multikey Fully Homomorphic Encryption Techniques
In a witness encryption scheme, to decrypt a ciphertext associated with an NP statement, the decrypter takes as input a witness testifying that the statement is in the language. When the statement is not in the language, then the message is hidden. Thus far, the only provably secure constructions assume the existence of indistinguishability obfuscation (iO) and multilinear maps (MMaps).
We make progress towards building polynomially efficient witness encryption for NP without resorting to iO or MMaps. In particular, we give a witness encryption scheme from Yao\u27s garbled circuit technique and a new type of fully homomorphic encryption (FHE) that we call annihilating. Interestingly, we require a version of the annihilating FHE that is circularly insecure, i.e., allows testing the presence of a key cycle. We prove our witness encryption\u27s security from a novel assumption about our annihilating FHE. We formulate the assumption as an interplay between an annihilating FHE and ideal ciphers. We show a candidate (leveled) annihilating FHE built from a multikey variant of the BGV/BFV fully homomorphic cryptosystems
Upgrading to Functional Encryption
The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several exciting applications. In this work, we initiate the study of the following question: Can existing public key encryption schemes be ``upgraded\u27\u27 to Functional Encryption schemes without changing their public keys or the encryption algorithm? We call a public-key encryption with this property to be FE-compatible.
Indeed, assuming ideal obfuscation, it is easy to see that every CCA-secure public-key encryption scheme is FE-compatible. Despite the recent success in using indistinguishability obfuscation to replace ideal obfuscation for many applications, we show that this phenomenon most likely will not apply here.
We show that assuming fully homomorphic encryption and the learning with errors (LWE) assumption, there exists a CCA-secure encryption scheme that is provably not FE-compatible. We also show that a large class of natural CCA-secure encryption schemes proven secure in the random oracle model are not FE-compatible in the random oracle model.
Nevertheless, we identify a key structure that, if present, is sufficient to provide FE-compatibility. Specifically, we show that assuming sub-exponentially secure iO and sub-exponentially secure one way functions, there exists a class of public key encryption schemes which we call Special-CCA secure encryption schemes that are in fact, FE-compatible.
In particular, each of the following popular CCA secure encryption schemes
(some of which existed even before the notion of FE was introduced)
fall into the class of Special-CCA secure encryption schemes and are thus FE-compatible:
1) The scheme of Canetti, Halevi and Katz (Eurocrypt 2004) when instantiated with the IBE scheme of Boneh-Boyen (Eurocrypt 2004).
2) The scheme of Canetti, Halevi and Katz (Eurocrypt 2004) when instantiated with any Hierarchical IBE scheme.
3) The scheme of Peikert and Waters (STOC 2008) when instantiated with any Lossy Trapdoor Function
Impossibility of Strong KDM Security with Auxiliary Input
In this note, we show that a strong notion of KDM security cannot be obtained by any encryption scheme in the auxiliary input setting, assuming Learning With Errors (LWE) and one-way permutations. The notion of security we deal with guarantees that for any (possibly inefficient) function , it is computationally hard to distinguish between an encryption of 0s and an encryption of f(pk, z), where pk is the public key and z is the auxiliary input. Furthermore, we show that this holds even when restricted to bounded-length auxiliary input where z is much shorter than pk under the additional assumption that (non-leveled) fully homomorphic encryption exists
Multi-Input Attribute Based Encryption and Predicate Encryption
Motivated by several new and natural applications, we initiate the study of multi-input predicate encryption () and further develop multi-input attribute based encryption (). Our contributions are:
1. Formalizing Security: We provide definitions for and in the {symmetric} key setting and formalize security in the standard indistinguishability (IND) paradigm, against unbounded collusions.
2. Two-input for from and Pairings: We provide the first constructions for two-input key-policy for from and pairings. Our construction leverages a surprising connection between techniques recently developed by Agrawal and Yamada (Eurocrypt, 2020) in the context of succinct single-input ciphertext-policy , to the seemingly unrelated problem of two-input key-policy . Similarly to Agrawal-Yamada, our construction is proven secure in the bilinear generic group model. By leveraging inner product functional encryption and using (a variant of) the KOALA knowledge assumption, we obtain a construction in the standard model analogously to Agrawal, Wichs and Yamada (TCC, 2020).
3. Heuristic two-input for from Lattices: We show that techniques developed for succinct single-input ciphertext-policy by Brakerski and Vaikuntanathan (ITCS 2022) can also be seen from the lens of and obtain the first two-input key-policy from lattices for .
4. Heuristic three-input and for from Pairings and Lattices: We obtain the first three-input for by harnessing the powers of both the Agrawal-Yamada and the Brakerski-Vaikuntanathan constructions.
5. Multi-input to multi-input via Lockable Obfuscation: We provide a generic compiler that lifts multi-input to multi-input by relying on the hiding properties of Lockable Obfuscation () by Wichs-Zirdelis and Goyal-Koppula-Waters (FOCS 2018), which can be based on . Our compiler generalizes such a compiler for single-input setting to the much more challenging setting of multiple inputs. By instantiating our compiler with our new two and three-input schemes, we obtain the first constructions of two and three-input schemes.
Our constructions of multi-input provide the first improvement to the compression factor of non-trivially exponentially efficient Witness Encryption defined by Brakerski et al. (SCN 2018) without relying on compact functional encryption or indistinguishability obfuscation. We believe that the unexpected connection between succinct single-input ciphertext-policy and multi-input key-policy may lead to a new pathway for witness encryption
Auditable Obfuscation
We introduce a new variant of malicious obfuscation. Our formalism is incomparable to the existing definitions by Canetti and Varia (TCC 2010), Canetti et al. (EUROCRYPT 2022) and Badrinarayanan et al. (ASIACRYPT 2016). We show that this concept is natural and applicable to obfuscation-as-a-service platforms. We next define a new notion called auditable obfuscation which provides security against malicious obfuscation. Finally, we construct a proof of concept of the developed notions based on well-studied theoretical obfuscation proposals
Quantum Lightning Never Strikes the Same State Twice
Public key quantum money can be seen as a version of the quantum no-cloning
theorem that holds even when the quantum states can be verified by the
adversary. In this work, investigate quantum lightning, a formalization of
"collision-free quantum money" defined by Lutomirski et al. [ICS'10], where
no-cloning holds even when the adversary herself generates the quantum state to
be cloned. We then study quantum money and quantum lightning, showing the
following results:
- We demonstrate the usefulness of quantum lightning by showing several
potential applications, such as generating random strings with a proof of
entropy, to completely decentralized cryptocurrency without a block-chain,
where transactions is instant and local.
- We give win-win results for quantum money/lightning, showing that either
signatures/hash functions/commitment schemes meet very strong recently proposed
notions of security, or they yield quantum money or lightning.
- We construct quantum lightning under the assumed multi-collision resistance
of random degree-2 systems of polynomials.
- We show that instantiating the quantum money scheme of Aaronson and
Christiano [STOC'12] with indistinguishability obfuscation that is secure
against quantum computers yields a secure quantum money schem
Collusion Resistant Broadcast and Trace from Positional Witness Encryption
An emerging trend is for researchers to identify cryptography primitives for which feasibility was first established under obfuscation and then move the realization to a different setting. In this work we explore a new such avenue — to move obfuscation-based cryptography to the assumption of (positional) witness encryption. Our goal is to develop techniques and tools, which we will dub “witness encryption friendly” primitives and use these to develop a methodology for building advanced cryptography from positional witness encryption.
We take a bottom up approach and pursue our general agenda by attacking the specific problem of building collusion-resistant broadcast systems with tracing from positional witness encryption. We achieve a system where the size of ciphertexts, public key and private key are polynomial in the security parameter and independent of the number of users N in the broadcast system. Currently, systems with such parameters are only known from indistinguishability obfuscation
- …