Functional Encryption for Quadratic Functions, and Applications to Predicate Encryption

We present a functional encryption scheme based on standard assumptions where ciphertexts are associated with a tuple of values $(x_1,\ldots,x_n) \in \mathbb{Z}_p^n$, secret keys are associated with a degree-two polynomial, and the decryption of a ciphertext $\mathsf{ct}_{(x_1,\ldots,x_n) \in \mathbb{Z}_p^n}$ with a secret key $\mathsf{sk}_{P \in \mathbb{Z}_p[X_1,\ldots,X_n], \mathsf{deg}(P) \leq 2}$ recovers $P(x_1,\ldots,x_n)$, where the ciphertext contains only $O(n)$ group elements. Our scheme, which achieves selective security based on pairings, also yields a new predicate encryption scheme that supports degree-two polynomial evaluation, generalizing both [KSW 08] and [BSW 06]

Indistinguishability Obfuscation from Circular Security

We show the existence of indistinguishability obfuscators (iO) for general circuits assuming subexponential security of: - the Learning with Error (LWE) assumption (with subexponential modulus-to-noise ratio); - a circular security conjecture regarding the Gentry-Sahai-Water\u27s (GSW) encryption scheme and a Packed version of Regev\u27s encryption scheme. The circular security conjecture states that a notion of leakage-resilient security, that we prove is satisfied by GSW assuming LWE, is retained in the presence of an encrypted key-cycle involving GSW and Packed Regev. Our work thus places iO on qualitatively similar assumptions as (unlevelled) FHE, for which known constructions also rely on a circular security conjecture

On the Feasibility of Unleveled Fully-Homomorphic Signatures

We build the first unleveled fully homomorphic signature scheme in the standard model. Our scheme is not constrained by any a-priori bound on the depth of the functions that can be homomorphically evaluated, and relies on subexponentially-secure indistinguishability obfuscation, fully-homomorphic encryption and a non-interactive zero-knowledge (NIZK) proof system with composable zero-knowledge. Our scheme is also the first to satisfy the strong security notion of context-hiding for an unbounded number of levels, ensuring that signatures computed homomorphically do not leak the original messages from which they were computed. All building blocks are instantiable from falsifiable assumptions in the standard model, avoiding the need for knowledge assumptions. The main difficulty we overcome stems from the fact that bootstrapping, which is a crucial tool for obtaining unleveled fully homomorphic encryption (FHE), has no equivalent for homomorphic signatures, requiring us to use novel techniques

Multi-Authority ABE, Revisited

Attribute-Based Encryption (ABE) is a cryptographic primitive which supports fine-grained access control on encrypted data, making it an appealing building block for many applications. Multi-Authority Attribute-Based Encryption (MA-ABE) is a generalization of ABE where the central authority is distributed across several independent parties. We provide the first MA-ABE scheme from prime-order pairings where no trusted setup is needed and where the attribute universe of each authority is unbounded. Our constructions rely on a common modular blueprint that uses an Identity-Based Functional Encryption scheme for inner products (ID-IPFE) as an underlying primitive. Our presentation leads to simple proofs of security and brings new insight into the algebraic design choices that seem common to existing schemes. In particular, the well-known MA-ABE construction by Lewko and Waters (EUROCRYPT 2011) can be seen as a specific instantiation of our modular construction. Our schemes enjoy all of their advantageous features, and the improvements mentioned. Furthermore, different instantiations of the core ID-IPFE primitive lead to various security/efficiency trade-offs: we propose an adaptively secure construction proven in the generic group model and a selectively secure one that relies on SXDH. As in previous work, we rely on a hash function (to generate matching randomness for the same user across different authorities while preserving collusion resistance) that is modeled as a random oracle

Improved Dual System ABE in Prime-Order Groups via Predicate Encodings

We present a modular framework for the design of efficient adaptively secure attribute-based encryption (ABE) schemes for a large class of predicates under the standard k-Lin assumption in prime-order groups; this is the first uniform treatment of dual system ABE across different predicates and across both composite and prime-order groups. Via this framework, we obtain concrete efficiency improvements for several ABE schemes. Our framework has three novel components over prior works: (i) new techniques for simulating composite-order groups in prime-order ones, (ii) a refinement of prior encodings framework for dual system ABE in composite-order groups, (iii) an extension to weakly attribute-hiding predicate encryption (which includes anonymous identity-based encryption as a special case)

Reading in the Dark: Classifying Encrypted Digits with Functional Encryption

As machine learning grows into a ubiquitous technology that finds many interesting applications, the privacy of data is becoming a major concern. This paper deals with machine learning and encrypted data. Namely, our contribution is twofold: we first build a new Functional Encryption scheme for quadratic multi-variate polynomials, which outperforms previous schemes. It enables the efficient computation of quadratic polynomials on encrypted vectors, so that only the result is in clear. We then turn to quadratic networks, a class of machine learning models, and show that their design makes them particularly suited to our encryption scheme. This synergy yields a technique for efficiently recovering a plaintext classification of encrypted data. Eventually, we prototype our construction and run it on the MNIST dataset to demonstrate practical relevance. We obtain 97.54% accuracy, with decryption and encryption taking few seconds

Indistinguishability Obfuscation from Simple-to-State Hard Problems: New Assumptions, New Techniques, and Simplification

In this work, we study the question of what set of simple-to-state assumptions suffice for constructing functional encryption and indistinguishability obfuscation ($i\mathcal{O}$), supporting all functions describable by polynomial-size circuits. Our work improves over the state-of-the-art work of Jain, Lin, Matt, and Sahai (Eurocrypt 2019) in multiple dimensions. New Assumption: Previous to our work, all constructions of $i\mathcal{O}$ from simple assumptions required novel pseudorandomness generators involving LWE samples and constant-degree polynomials over the integers, evaluated on the error of the LWE samples. In contrast, Boolean pseudorandom generators (PRGs) computable by constant-degree polynomials have been extensively studied since the work of Goldreich (2000). We show how to replace the novel pseudorandom objects over the integers used in previous works, with appropriate Boolean pseudorandom generators with sufficient stretch, when combined with LWE with binary error over suitable parameters. Both binary error LWE and constant degree Goldreich PRGs have been a subject of extensive cryptanalysis since much before our work and thus we back the plausibility of our assumption with security against algorithms studied in context of cryptanalysis of these objects. New Techniques: We introduce a number of new techniques: - We show how to build partially-hiding \emph{public-key} functional encryption, supporting degree-2 functions in the secret part of the message, and arithmetic $\mathsf{NC}^1$ functions over the public part of the message, assuming only standard assumptions over asymmetric pairing groups. - We construct single-ciphertext and single-secret-key functional encryption for all circuits with long outputs, which has the features of {\em linear} key generation and compact ciphertext, assuming only the LWE assumption. Simplification: Unlike prior works, our new techniques furthermore let us construct {\em public-key} functional encryption for polynomial-sized circuits directly (without invoking any bootstrapping theorem, nor transformation from secret-key to public key FE), and based only on the {\em polynomial hardness} of underlying assumptions. The functional encryption scheme satisfies a strong notion of efficiency where the size of the ciphertext is independent of the size of the circuit to be computed, and grows only sublinearly in the output size of the circuit and polynomially in the input size and the depth of the circuit. Finally, assuming that the underlying assumptions are subexponentially hard, we can bootstrap this construction to achieve $i\mathcal{O}$

Characterisation of semiconductor optical amplifiers for all-optical regeneration

OralInternational audienceWe report on the characterisations of different semiconductor optical amplifiers (SOA) which are designed and fabricated for All-Optical Regeneration. Dynamic measurements in pump-probe configuration show short time response of around 50 ps. Chirp measurements by FROG technique are also reported. The characterisations demonstrate the potential of these components to be associated with interferometer and optical filtering in order to achieve regeneration functions at bit rates of 40 Gbit/s and above

Decentralized Multi-Client Functional Encryption for Inner Product

We consider a situation where multiple parties, owning data that have to be frequently updated, agree to share weighted sums of these data with some aggregator, but where they do not wish to reveal their individual data, and do not trust each other. We combine techniques from Private Stream Aggregation (PSA) and Functional Encryption (FE), to introduce a primitive we call Decentralized Multi-Client Functional Encryption (DMCFE), for which we give a practical instantiation for Inner Product functionalities. This primitive allows various senders to non-interactively generate ciphertexts which support inner-product evaluation, with functional decryption keys that can also be generated non-interactively, in a distributed way, among the senders. Interactions are required during the setup phase only. We prove adaptive security of our constructions, while allowing corruptions of the clients, in the random oracle model