実用的な内積関数型暗号に向けて

京都大学新制・論文博士博士(情報学)乙第13425号論情博第96号新制||情||131(附属図書館)(主査)教授 神田 崇行, 教授 吉川 正俊, 教授 湊 真一, 阿部 正幸学位規則第4条第2項該当Doctor of InformaticsKyoto UniversityDFA

Unbounded Quadratic Functional Encryption and More from Pairings

We propose the first unbounded functional encryption (FE) scheme for quadratic functions and its extension, in which the sizes of messages to be encrypted are not a priori bounded. Prior to our work, all FE schemes for quadratic functions are bounded, meaning that the message length is fixed at the setup. In the first scheme, encryption takes $\{x_{i}\}_{i \in S_{c}}$, key generation takes $\{c_{i,j}\}_{i,j \in S_{k}}$, and decryption outputs $\sum_{i,j \in S_{k}} c_{i,j}x_{i}x_{j}$ if and only if $S_{k} \subseteq S_{c}$, where the sizes of $S_{c}$ and $S_{k}$ can be arbitrary. Our second scheme is the extension of the first scheme to partially-hiding FE that computes an arithmetic branching program on a public input and a quadratic function on a private input. Concretely, encryption takes a public input $\vec{u}$ in addition to $\{x_{i}\}_{i \in S_{c}}$, a secret key is associated with arithmetic branching programs $\{f_{i,j}\}_{i,j \in S_{k}}$, and decryption yields $\sum_{i,j \in S_{k}} f_{i,j}(\vec{u})x_{i}x_{j}$ if and only if $S_{k} \subseteq S_{c}$. Both our schemes are based on pairings and secure in the simulation-based model under the standard MDDH assumption

Full-Hiding (Unbounded) Multi-Input Inner Product Functional Encryption from the kk-Linear Assumption

This paper presents two non-generic and practically efficient private key multi-input functional encryption (MIFE) schemes for the multi-input version of the inner product functionality that are the first to achieve simultaneous message and function privacy, namely, the full-hiding security for a non-trivial multi-input functionality under well-studied cryptographic assumptions. Our MIFE schemes are built in bilinear groups of prime order, and their security is based on the standard $k$-Linear ($k$-LIN) assumption (along with the existence of semantically secure symmetric key encryption and pseudorandom functions). Our constructions support polynomial number of encryption slots (inputs) without incurring any super-polynomial loss in the security reduction. While the number of encryption slots in our first scheme is apriori bounded, our second scheme can withstand an arbitrary number of encryption slots. Prior to our work, there was no known MIFE scheme for a non-trivial functionality, even without function privacy, that can support an unbounded number of encryption slots without relying on any heavy-duty building block or little-understood cryptographic assumption

Multi-Input Quadratic Functional Encryption: Stronger Security, Broader Functionality

Multi-input functional encryption, MIFE, is a powerful generalization of functional encryption that allows computation on encrypted data coming from multiple different data sources. In a recent work, Agrawal, Goyal, and Tomida (CRYPTO 2021) constructed MIFE for the class of quadratic functions. This was the first MIFE construction from bilinear maps that went beyond inner product computation. We advance the state-of-the-art in MIFE, and propose new constructions with stronger security and broader functionality. Stronger Security: In the typical formulation of MIFE security, an attacker is allowed to either corrupt all or none of the users who can encrypt the data. In this work, we study MIFE security in a stronger and more natural model where we allow an attacker to corrupt any subset of the users, instead of only permitting all-or-nothing corruption. We formalize the model by providing each user a unique encryption key, and letting the attacker corrupt all non-trivial subsets of the encryption keys, while still maintaining the MIFE security for ciphertexts generated using honest keys. We construct a secure MIFE system for quadratic functions in this fine-grained corruption model from bilinear maps. Our construction departs significantly from the existing MIFE schemes as we need to tackle a more general class of attackers. Broader Functionality: The notion of multi-client functional encryption, MCFE, is a useful extension of MIFE. In MCFE, each encryptor can additionally tag each ciphertext with appropriate metadata such that ciphertexts with only matching metadata can be decrypted together. In more detail, each ciphertext is now annotated with a unique label such that ciphertexts encrypted for different slots can now only be combined together during decryption as long as the associated labels are an exact match for all individual ciphertexts. In this work, we upgrade our MIFE scheme to also support ciphertext labelling. While the functionality of our scheme matches that of MCFE for quadratic functions, our security guarantee falls short of the general corruption model studied for MCFE. In our model, all encryptors share a secret key, therefore this yields a secret-key version of quadratic MCFE, which we denote by SK-MCFE. We leave the problem of proving security in the general corruption model as an important open problem

Attribute-Based Multi-Input FE (and more) for Attribute-Weighted Sums

Recently, Abdalla, Gong and Wee (Crypto 2020) provided the first functional encryption scheme for attribute-weighted sums (AWS), where encryption takes as input $N$ (unbounded) attribute-value pairs $\{\vec{x}_i, \vec{z}_i\}_{I \in [N]}$ where $\vec{x}_i$ is public and $\vec{z}_i$ is private, the secret key is associated with an arithmetic branching programs $f$, and decryption returns the weighted sum ${\sum}_{{i \in [N]}} f(\vec{x}_i)^\top \vec{z}_i$, leaking no additional information about the $\vec{z}_i$\u27s. We extend FE for AWS to the significantly more challenging multi-party setting and provide the first construction for {\it attribute-based} multi-input FE (MIFE) supporting AWS. For $i \in [n]$, encryptor $i$ can choose an attribute $\vec{y}_i$ together with AWS input $\{\vec{x}_{i,j}, \vec{z}_{i,j}\}$ where $j \in [N_i]$ and $N_i$ is unbounded, the key generator can choose an access control policy $g_i$ along with its AWS function $h_i$ for each $i \in [n]$, and the decryptor can compute $$\sum_{i \in [n]}\sum_{j \in [N_{i}]}h_{i}(\vec{x}_{i,j})^{\top}\vec{z}_{i,j} \text{ iff } g_{i}(\vec{y}_{i}) =0 \text{ for all } i \in [n]$$ Previously, the only known attribute based MIFE was for the inner product functionality (Abdalla et al.~Asiacrypt 2020), where additionally, $\vec{y}_i$ had to be fixed during setup and must remain the same for all ciphertexts in a given slot. Our attribute based MIFE implies the notion of multi-input {\it attribute based encryption} (\miabe) recently studied by Agrawal, Yadav and Yamada (Crypto 2022) and Francati, Friolo, Malavolta and Venturi (Eurocrypt 2023), for a conjunction of predicates represented as arithmetic branching programs (ABP). Along the way, we also provide the first constructions of multi-client FE (MCFE) and dynamic decentralized FE (DDFE) for the AWS functionality. Previously, the best known MCFE and DDFE schemes were for inner products (Chotard et al.~ePrint 2018, Abdalla, Benhamouda and Gay, Asiacrypt 2019, and Chotard et al.~Crypto 2020). Our constructions are based on pairings and proven selectively secure under the matrix DDH assumption

Communication-Efficient Inner Product Private Join and Compute with Cardinality

Private join and compute (PJC) is a paradigm where two parties owing their private database securely join their databases and compute a function over the combined database. Inner product PJC, introduced by Lepoint et al. (Asiacrypt\u2721), is a class of PJC that has a wide range of applications such as secure analysis of advertising campaigns. In this computation, two parties, each of which has a set of identifier-value pairs, compute the inner product of the values after the (inner) join of their databases with respect to the identifiers. They proposed inner product PJC protocols that are specialized for the unbalanced setting where the input sizes of both parties are significantly different and not suitable for the balanced setting where the sizes of two inputs are relatively close. We propose an inner product PJC protocol that is much more efficient than that by Lepoint et al. for balanced inputs in the setting where both parties are allowed to learn the intersection size additionally. Our protocol can be seen as an extension of the private intersection-sum protocol based on the decisional Diffie-Hellman assumption by Ion et al. (EuroS&P\u2720) and is especially communication-efficient as the private intersection-sum protocol. In the case where both input sizes are $2^{16}$, the communication cost of our inner-product PJC protocol is $46\times$ less than that of the inner product PJC protocol by Lepoint et al

DV200 Index for Assessing RNA Integrity in Next-Generation Sequencing

Poor quality of biological samples will result in an inaccurate analysis of next-generation sequencing (NGS). Therefore, methods to accurately evaluate sample integrity are needed. Among methods for evaluating RNA quality, the RNA integrity number equivalent (RINe) is widely used, whereas the DV200, which evaluates the percentage of fragments of >200 nucleotides, is also used as a quality assessment standard. In this study, we compared the RINe and DV200 RNA quality indexes to determine the most suitable RNA index for the NGS analysis. Seventy-one RNA samples were extracted from formalin-fixed paraffin-embedded tissue samples (n=30), fresh-frozen samples (n=25), or cell lines (n=16). After assessing RNA quality using the RINe and DV200, we prepared two kinds of stranded mRNA sequencing libraries. Finally, we calculated the correlation between each RNA quality index and the amount of library product (1(st) PCR product per input RNA). The DV200 measure showed stronger correlation with the amount of library product than the RINe (R2=0.8208 for the DV200 versus 0.6927 for the RINe). Receiver operating characteristic curve analyses revealed that the DV200 was the better marker for predicting efficient library production than the RINe using a threshold of >10 ng/ng for the amount of the 1(st) PCR product per input RNA (cutoff value for the RINe and DV200, 2.3 and 66.1%; area under the curve, 0.99 and 0.91; sensitivity, 82% and 92%; and specificity, 93% and 100%, respectively). Our results indicate that NGS libraries prepared using RNA samples with the DV200 value>66.1% exhibit greater sensitivity and specificity than those prepared with the RINe values>2.3. These findings suggest that the DV200 is superior to the RINe, especially for low-quality RNA, because it is a more consistent assessment of the amount of the 1(st) NGS library product per input

Efficient Secure Three-Party Sorting with Applications to Data Analysis and Heavy Hitters

We present a three-party sorting protocol secure against passive and active adversaries in the honest majority setting. The protocol can be easily combined with other secure protocols which work on shared data, and thus enable different data analysis tasks, such as private set intersection of shared data, deduplication, and the identification of heavy hitters. The new protocol computes a stable sort. It is based on radix sort and is asymptotically better than previous secure sorting protocols. It improves on previous radix sort protocols by not having to shuffle the entire length of the items after each comparison step. We implemented our sorting protocol with different optimizations and achieved concretely fast performance. For example, sorting one million items with 32-bit keys and 32-bit values takes less than 2 seconds with semi-honest security and about 3.5 seconds with malicious security. Finding the heavy hitters among hundreds of thousands of 256-bit values takes only a few seconds, compared to close to an hour in previous work

Acquired resistance mechanisms to afatinib in HER2-amplified gastric cancer cells

Cancer treatment, especially that for breast and lung cancer, has entered a new era and continues to evolve, with the development of genome analysis technology and the advent of molecular targeted drugs including tyrosine kinase inhibitors. Nevertheless, acquired drug resistance to molecular targeted drugs is unavoidable, creating a clinically challenging problem. We recently reported the antitumor effect of a pan-HER inhibitor, afatinib, against human epidermal growth factor receptor 2 (HER2)-amplified gastric cancer cells. The purpose of the present study was to identify the mechanisms of acquired afatinib resistance and to investigate the treatment strategies for HER2-amplified gastric cancer cells. Two afatinib-resistant gastric cancer cell lines were established from 2 HER2-amplified cell lines, N87 and SNU216. Subsequently, we investigated the molecular profiles of resistant cells. The activation of the HER2 pathway was downregulated in N87-derived resistant cells, whereas it was upregulated in SNU216-derived resistant cells. In the N87-derived cell line, both MET and AXL were activated, and combination treatment with afatinib and cabozantinib, a multikinase inhibitor that inhibits MET and AXL, suppressed the cell growth of cells with acquired resistance both in vitro and in vivo. In the SNU216-derived cell line, YES1, which is a member of the Src family, was remarkably activated, and dasatinib, a Src inhibitor, exerted a strong antitumor effect in these cells. In conclusion, we identified MET and AXL activation in addition to YES1 activation as novel mechanisms of afatinib resistance in HER2-driven gastric cancer. Our results also indicated that treatment strategies targeting individual mechanisms of resistance are key to overcoming such resistance

YES1 activation induces acquired resistance to neratinib in HER2-amplified breast and lung cancers

Molecular-targeted therapies directed against human epidermal growth factor receptor 2 (HER2) are evolving for various cancers. Neratinib is an irreversible pan-HER tyrosine kinase inhibitor and has been approved by the FDA as an effective drug for HER2-positive breast cancer. However, acquired resistance of various cancers to molecular-targeted drugs is an issue of clinical concern, and emergence of resistance to neratinib is also considered inevitable. In this study, we established various types of neratinib-resistant cell lines from HER2-amplified breast and lung cancer cell lines using several drug exposure conditions. We analyzed the mechanisms of emergence of the resistance in these cell lines and explored effective strategies to overcome the resistance. Our results revealed that amplification of YES1, which is a member of the SRC family, was amplified in two neratinib-resistant breast cancer cell lines and one lung cancer cell line. Knockdown of YES1 by siRNA and pharmacological inhibition of YES1 by dasatinib restored the sensitivity of the YES1-amplified cell lines to neratinib in vitro. Combined treatment with dasatinib and neratinib inhibited tumor growth in vivo. This combination also induced downregulation of signaling molecules such as HER2, AKT and MAPK. Our current results indicate that YES1 plays an important role in the emergence of resistance to HER2-targeted drugs, and that dasatinib enables such acquired resistance to neratinib to be overcome