On the Achievability of Simulation-Based Security for Functional Encryption

Recently, there has been rapid progress in the area of functional encryption (FE), in which a receiver with secret-key Sk_y can compute from an encryption of x the value F(x,y) for some functionality F. Two central open questions that remain are: (1) Can we construct FE secure under an indistinguishability-based (IND) security notion for general circuits? (2) To what extent can we achieve a simulation-based (SIM) security notion for FE? Indeed, it was previously shown that IND-security for FE is too weak for some functionalities [Boneh et al. -- TCC\u2711, O\u27Neill -- ePrint \u2710], but that there exist strong impossibility results for SIM-security [Boneh et al. -- TCC\u2711, Agrawal et al. -- ePrint 2012]. Our work establishes a connection between these questions by giving a compiler that transforms any IND-secure FE scheme for general circuits into one that is SIM-secure for general circuits. 1) In the random oracle model, our resulting scheme is SIM-secure for an unbounded number of ciphertexts and key-derivation queries. We achieve this result by starting from an IND-secure FE scheme for general circuits with random oracle gates. 2) In the standard model, our resulting scheme is secure for a bounded number of ciphertexts and non-adaptive key-derivation queries (i.e., those made before seeing the challenge ciphertexts), but an unbounded number of adaptive key-derivation queries. These parameters match the known impossibility results for SIM-secure FE and improve upon the parameters achieved by Gorbunov et al. [CRYPTO\u2712]. The techniques for our compiler are inspired by constructions of non-committing encryption [Nielsen -- CRYPTO \u2702] and the celebrated Feige-Lapidot-Shamir paradigm [FOCS\u2790] for obtaining zero-knowledge proof systems from witness-indistinguishable proof systems. Our compiler in the standard model requires an IND-secure FE scheme for general circuits, it leaves open the question of whether we can obtain SIM-secure FE for special cases of interest under weaker assumptions. To this end, we next show that our approach leads to a direct construction of SIM-secure hidden vector encryption (an important special case of FE that generalizes anonymous identity-based encryption). The scheme, which is set in composite order bilinear groups under subgroup decision assumptions, achieves security for a bounded number of ciphertexts but unbounded number of both non-adaptive and adaptive key-derivation queries, again matching the known impossibility results. In particular, to our knowledge this is the first construction of SIM-secure FE (for any non-trivial functionality) in the standard model handling an unbounded number of adaptive key-derivation queries. Finally, we revisit the negative results for SIM-secure FE. We observe that the known results leave open the possibility of achieving SIM-security for various natural formulations of security (such as non-black-box simulation for non-adaptive adversaries). We settle these questions in the negative, thus providing essentially a full picture of the (un)achievability of SIM-security

Quantum Indistinguishability for Public Key Encryption

In this work we study the quantum security of public key encryption schemes (PKE). Boneh and Zhandry (CRYPTO'13) initiated this research area for PKE and symmetric key encryption (SKE), albeit restricted to a classical indistinguishability phase. Gagliardoni et al. (CRYPTO'16) advanced the study of quantum security by giving, for SKE, the first definition with a quantum indistinguishability phase. For PKE, on the other hand, no notion of quantum security with a quantum indistinguishability phase exists. Our main result is a novel quantum security notion (qIND-qCPA) for PKE with a quantum indistinguishability phase, which closes the aforementioned gap. We show a distinguishing attack against code-based schemes and against LWE-based schemes with certain parameters. We also show that the canonical hybrid PKE-SKE encryption construction is qIND-qCPA-secure, even if the underlying PKE scheme by itself is not. Finally, we classify quantum-resistant PKE schemes based on the applicability of our security notion. Our core idea follows the approach of Gagliardoni et al. by using so-called type-2 operators for encrypting the challenge message. At first glance, type-2 operators appear unnatural for PKE, as the canonical way of building them requires both the secret and the public key. However, we identify a class of PKE schemes - which we call recoverable - and show that for this class type-2 operators require merely the public key. Moreover, recoverable schemes allow to realise type-2 operators even if they suffer from decryption failures, which in general thwarts the reversibility mandated by type-2 operators. Our work reveals that many real-world quantum-resistant PKE schemes, including most NIST PQC candidates and the canonical hybrid construction, are indeed recoverable

Simulation-Based Secure Functional Encryption in the Random Oracle Model

One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by [Boneh et al. – TCC’11, O’Neill – ePrint’10] where it was first shown that for FE the indistinguishability-based (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the above-mentioned works and others [e.g., Agrawal et al. – CRYPTO’13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, [De Caro et al. – CRYPTO’13] proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models: In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constant-size, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., Gorbunov et al. – CRYPTO’12] have ciphertexts and tokens of size growing as the number of queries. In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries. Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation [Boyle et al. – TCC’14] (and other standard primitives) secure only in the standard model

Secret key establishment from common randomness represented as complex correlated random processes: Practical algorithms and theoretical limits

Establishing secret common randomness between two or multiple devices in a network resides at the root of communication security. In its most frequent form of key establishment, the problem is traditionally decomposed into a randomness generation stage (randomness purity is subject to employing often costly true random number generators) and an information-exchange agreement stage, which relies either on public-key infrastructure or on symmetric encryption (key wrapping). This dissertation has been divided into two main parts. In the first part, an algorithm called KERMAN is proposed to establish secret-common-randomness for ad-hoc networks, which works by harvesting randomness directly from the network routing metadata, thus achieving both pure randomness generation and (implicitly) secret-key agreement. This algorithm relies on the route discovery phase of an ad-hoc network employing the Dynamic Source Routing protocol, is lightweight, and requires relatively little communication overhead. The algorithm is evaluated for various network parameters, and different levels of complexity, in OPNET network simulator. The results show that, in just ten minutes, thousands of secret random bits can be generated network-wide, between different pairs in a network of fifty users. The proposed algorithm described in this first part of this research study has inspired study of the problem of generating a secret key based on a more practical model to be explored in the second part of this dissertation. Indeed, secret key establishment from common randomness has been traditionally investigated under certain limiting assumptions, of which the most ubiquitous appears to be that the information available to all parties comes in the form of independent and identically distributed (i.i.d.) samples of some correlated andom variables. Unfortunately, models employing the i.i.d assumption are often not accurate representations of real scenarios. A more capable model would represent the available information as correlated hidden Markov models (HMMs), based on the same underlying Markov chain. Such a model accurately reflects the scenario where all parties have access to imperfect observations of the same source random process, exhibiting a certain time dependency. In the second part of the dissertation , a computationally-efficient asymptotic bounds for the secret key capacity of the correlated-HMM scenario has been derived. The main obstacle, not only for this model, but also for other non-i.i.d cases, is the computational complexity. This problem has been addressed by converting the initial bound to a product of Markov random matrices, and using recent results regarding its convergence to a Lyapunov exponent

Functional Encryption and Property Preserving Encryption: New Definitions and Positive Results

Functional Encryption (FE) is an exciting new paradigm that extends the notion of public key encryption. In this work we explore the security of Inner Product Functional Encryption schemes with the goal of achieving the highest security against practically feasible attacks. In addition, we improve efficiency/ underlying assumptions/ security achieved by existing inner product Functional Encryption and Property Preserving Encryption schemes, in both the private and public key setting. Our results can be summarized as follows: - We study whether known impossibilities for achieving strong SIM based security imply actual real world attacks. For this, we present a new UC-style SIM based definition of security that captures both data and function hiding, both public key and symmetric key settings and represents the dream security of FE. While known impossibilities rule out its achievability in the standard model, we show, surprisingly, that it can be achieved in the generic group model for Inner Product FE (Katz et al., Eurocrypt 2008). This provides evidence that FE implementations may enjoy extremely strong security against a large class of real world attacks, namely generic attacks. - We provide several improvements to known constructions of Inner Product FE. In the private key setting, the construction by Shen et al. (TCC 2009) was based on non-standard assumptions, used composite order groups, and only achieved selective security. We give the first construction of a symmetric key inner product FE which is built using prime order groups, and is fully secure under the standard DLIN assumption. Our scheme is more efficient in the size of key and ciphertext than Shen et al.\u27s, when the latter is converted to prime-order groups. - We give the first construction of a property preserving encryption (PPE) scheme for inner-products. Our scheme is secure under the DLIN assumption and satisfies the strongest definition of security -- Left-or-Right security in the standard model. Note that the only previously known construction for PPE by Pandey et al. (Eurocrypt 2012), which was claimed to be secure in the generic group model, was recently attacked Chatterjee and Das, making our construction the first candidate for PPE

Contention in Cryptoland: Obfuscation, Leakage and UCE

This paper addresses the fundamental question of whether or not different, exciting primitives now being considered actually exist. We show that we, unfortunately, cannot have them all. We provide results of the form not(A) OR not(B), meaning one of the primitives A,B cannot exist. (But we don\u27t know which.) Specifically, we show that: (1) VGBO (Virtual Grey Box Obfuscation) for all circuits, which has been conjectured to be achieved by candidate constructions, cannot co-exist with Canetti\u27s 1997 AI-DHI (auxiliary input DH inversion) assumption, which has been used to achieve many goals including point-function obfuscation (2) iO (indistinguishability obfuscation) for all circuits cannot co-exist with KM-LR-SE (key-message leakage-resilient symmetric encryption) (3) iO cannot co-exist with hash functions that are UCE secure for computationally unpredictable split sources

COVERT COMMUNICATIONS IN CONTINUOUS-TIME SYSTEMS

This dissertation studies covert wireless communications where a transmitter (Alice) intends to transmit messages to a legitimate receiver (Bob) such that the presence of the message is hidden from an attentive warden (Willie). Here we consider pertinent aspects of covert communications that focus on moving such systems closer to implementation. For example, previous studies use the standard discrete-time communication model when analyzing covert communications, since this is commonly assumed without loss of generality in standard communication theory. However, it is not clear that such a model captures the salient aspects of the continuous-time covert communications problem. A power detector that is optimal for the warden in a discrete-time covert communications scenario may not be optimal on a continuous- time model. Thus, it is of interest to consider this more realistic model for physical channels. After analyzing a power optimization problem using the standard discrete-time model, we move to the key part of system implementation: the instantiation in true continuous-time systems of the discrete-time models studied to this point in the literature. A key goal is to examine Willie’s detection capability on a continuous-time model and study how the limits of covert communications change from the discrete-time case. In particular, we show that detectors for Willie can benefit from the continuous-time setting and outperform detectors based on the discrete-time model; not surprisingly, this has a significant impact on the true covert throughput of the system. Nevertheless, we establish constructions such that efficient covert communications can still be achieved in a continuous-time model, and prove the fundamental limit on the covert communication rate. After considering the continuous-time problem in detail, we then turn to addressing another limitation of previous work - the requirement for an intentional jammer to facilitate efficient covert communication. Instead, we consider how to exploit a pre-existing interference source – a radar - to achieve covert communication. We establish a covert communication scheme in such an environment, and analyze the corresponding covert rate. Finally, we consider the use of a detection technique similar to that in the covert communications problem, in the area of quantized signal detection

Functional Encryption from (Small) Hardware Tokens

Functional encryption (FE) enables fine-grained access control of encrypted data while promising simplified key management. In the past few years substantial progress has been made on functional encryption and a weaker variant called predicate encryption. Unfortunately, fundamental impossibility results have been demonstrated for constructing FE schemes for general functions satisfying a simulation-based definition of security. We show how to use \emph{hardware tokens} to overcome these impossibility results. In our envisioned scenario, an authority gives a hardware token and some cryptographic information to each authorized user; the user combines these to decrypt received ciphertexts. Our schemes rely on \emph{stateless} tokens that are \emph{identical} for all users. (Requiring a different token for each user trivializes the problem, and would be a barrier to practical deployment.) The tokens can implement relatively ``lightweight\u27\u27 computation relative to the functions supported by the scheme. Our token-based approach can be extended to support hierarchal functional encryption, function privacy, and more