Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition
|
|
- Sarah Holland
- 5 years ago
- Views:
Transcription
1 Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1
2 2
3 Puncture! 3
4 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key
5 5 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere.
6 6 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere. In general: Constrain(K, C) => K{C}
7 7 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos, Zacharias 13, Boyle, Goldwasser, Ivan 14, Sahai, Waters 14] x*?, if x=x* K FK{x*}(x)= { F (x), else K original key punctured key Puncture(K, x*) => K{x*} s.t. Fk(x*) is pseudorandom, give the K{x*} that preserve the original outputs elsewhere. In general: Constrain(K, C) => K{C} They have many applications (broadcast encryption, identity-based KE), best known for being good friends of io
8 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] 8
9 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] original fresh random 9
10 Puncturable PRF from GGM [Goldreich, Goldwasser, Micali 84] original fresh random The constrained key reveals the point x* 10
11 Constraint-hiding Constrained PRF 11
12 Constraint-hiding Constrained PRF hide 12
13 Constraint-hiding Constrained PRF?? 13
14 Constraint-hiding Constrained PRF? = secret?? 14
15 Constraint-hiding Constrained PRF? = secret?? = key?? 15
16 Constraint-hiding Constrained PRF? = secret?? = key??=?? #faketenniscourtoath 16
17 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition 17
18 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition Where to find them (secure for many keys): - io(pprf) is CHCPRF - Bit-fixing from multilinear DDH, puncturing from multilinear subgroup-hiding 18
19 Boneh, Lewi, Wu (PKC 17, eprint 2015/1167) What are Constraint-Hiding CPRFs: - An indistinguishability-based definition Where to find them (secure for many keys): - io(pprf) is CHCPRF - Bit-fixing from multilinear DDH, puncturing from multilinear subgroup-hiding How to use them: - Private-key deniable encryption, - Privately-detectable watermarking, - Searchable encryption - 19
20 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF 20
21 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF Where to find them: - Simulation-based 1-key CHCPRFs for NC1 from Learning With Errors 21
22 This work: Canetti, Chen (Eurocrypt 17) What are Constraint-Hiding CPRFs: - A simulation-based definition of CHCPRF Where to find them: - Simulation-based 1-key CHCPRFs for NC1 from Learning With Errors How to use them: - 1-key CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits) - 2-key CHCPRF implies obfuscation* 22
23 Concurrent work: Boneh, Kim, Montgomery (Eurocrypt 17) 1-key puncturable CHCPRFs from LWE. Both root from previous lattices-based PRFs, but different method to constrain and hide. 23
24 Plan for the talk: Part 1: Definition, implications to obfuscation, functional encryption Part 2: How to construct CHCPRFs for NC1 24
25 Defining constraint-hiding constraint PRF (CHCPRF) 25
26 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) definition of CHCPRF 26
27 Simulation-based CHCPRF [CC 17] for all p.p.t. adv, there s a simulator, s.t. the outputs of the real and simulated distributions are indistinguishable. adv Real Simulator 27
28 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C Real adv Simulation-based definition of CHCPRF 28
29 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Real Constraint query C adv Simulation-based definition of CHCPRF 29
30 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Constraint query C Input query x Real adv Simulation-based definition of CHCPRF 30
31 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Real Constraint query C Input query x adv Simulation-based definition of CHCPRF 31
32 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C adv Simulator Simulation-based definition of CHCPRF 32
33 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C adv KS <- Sim(MSKS, 1 C ) Simulator Simulation-based definition of CHCPRF 33
34 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C KS <- Sim(MSKS, 1 C ) Input query x adv Simulator Simulation-based definition of CHCPRF 34
35 Master_KeyGen -> MSK Cons(MSK, C) -> K[C] Eval(K, x) -> FK(x) Constraint query C Input query x adv KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) Simulator Simulation-based definition of CHCPRF 35
36 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Real Constraint query C Input query x adv KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) Simulator Simulation-based definition of CHCPRF 36
37 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Pseudorandom & Constraint-hiding: K[C], FK(x) c KS, ys Cons(MSK, C) -> K[C] Eval(MSK, x) -> FK(x) Constraint query C Input query x (when C(x)=0, ys is from random) KS <- Sim(MSKS, 1 C ) ys <- Sim(MSKS, x, C(x)) adv Real Simulator Simulation-based definition of CHCPRF 37
38 Theorem [CC17] For 1-constrained key in the selective setting sim-based = ind-based sim ind 38
39 Sim-based definition for many constrained keys adv Real Simulator 39
40 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. Constraint-hiding: K[C1], K[C2] c K1S, K2S MSKS Master KeyGen MSK Cons(MSK, C1) -> K[C1] Constraint query C1 K1S <- Sim(MSKS, 1 C ) Cons(MSK, C2) -> K[C2] Constraint query C2 K2S <- Sim(MSKS, 1 C ) adv Simulator Real Sim-based definition for 2 keys 40
41 Correctness: for x s.t. C(x)=1, Pr [ FK(x) = FK[C](x) ] > 1-negl. K[C1], K[C2] c K1S, K2S Constraint-hiding: MSKS Master KeyGen MSK Cons(MSK, C1) -> K[C1] Constraint query C1 K1S <- Sim(MSKS, 1 C ) Cons(MSK, C2) -> K[C2] Constraint query C2 K2S <- Sim(MSKS, 1 C ) adv Hey Jude, C1(x)? C2(x)? Real Relaxed Sim-based definition for 2 keys Simulator 41
42 Reminiscent of obfuscation...
43 Theorem [ CC 17 ]: Two-key CHCPRF (for function class C) implies obfuscation (for C) - Two-key relaxed sim-chcprf implies strong VBB obfuscation - Two-key ind-chcprf implies io Obfuscation C Z 43
44 Theorem [ CC 17 ]: Two-key CHCPRF (for function class C) implies obfuscation (for C) - Two-key relaxed sim-chcprf implies strong VBB obfuscation - Two-key ind-chcprf implies io Construction: Obf = ( K[C], K[Z] ) Eval(x) = Eval( K[C], x) - Eval( K[Z], x) Obfuscation Idea implicit from the [GGHRSW13] candidate obfuscation C Z 44
45 Pope: wait you haven t achieved 2-key security
46 Pope: wait you haven t achieved 2-key security In the rest of the talk, we will focus on: 1-key simulation-based definition for CHCPRF.
47 De cr yp t th en Ev al CHCPRF => Functional encryption
48 Theorem [ CC 17 ] 1-key sim-based CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits).
49 Theorem [ CC 17 ] 1-key sim-based CHCPRF implies 1-key private-key functional encryption (reusable garbled circuits). Construction: from normal encryption Sym and CHCPRF F Enc(m;r): ct = EncSym.K(m;r); tag = F[K](ct) FSK[Sym.K, F.K, C]: constrained key for the decryption and eval functionality C(DecSym.K(. )) Eval: compute F[C(DecSym.K(. ))](ct), and compare with tag
50 De nia b le Wa term En cry pti on arki n g? ion t p y r c n E l a Function How to construct CHCPRF? 50
51 Main construction: 1-key sim-based CHCPRFs for NC1 from Learning With Errors. 51
52 Main construction: 1-key sim-based CHCPRFs for NC1 from Learning With Errors. Combine: - Lattices-based PRFs - Barrington s theorem to embed functionality - GGH15 encoding to provide a public constrained mode Demonstrate a proof methodology of GGH15-based applications. 52
53 Banerjee, Peikert, Rosen 12 Subset-product & rounding Key: s1,1 s2,1... s1,0 s2,0... Eval: sn,1 sn,0 A mod q F(x) = { si,xi A }2 si,b are LWE secrets from low-norm distributions 53
54 Banerjee, Peikert, Rosen 12 Subset-product & rounding Key: s1,1 s2,1... s1,0 s2,0... Eval: sn,1 sn,0 A mod q F(x) = { si,xi A }2 What we need in addition to build a CHCPRF: + A proper public mode of the function (GGH15 encoding) + Embed structures in the secret terms to perform functionality (Barrington s theorem) 54
55 Tool 1: GGH15 encoding [Gentry, Gorbunov, Halevi 15] 55
56 A with Trapdoor Trapdoor [Ajtai 99, Alwen, Peikert 09, Micciancio, Peikert 12] Can sample A with a trapdoor T. Can sample small preimage from Gaussian [ Klein 00, GPV 08 ] 56
57 GGH15 encoding for the ith hop: Si,1 Ai Si,0 Ai+1 57
58 GGH15 encoding for the ith hop: Yi,1 = si,1 Ai+1+Ei,1 Si,1 Ai Si,0 Ai+1 Yi,0 = si,0 Ai+1+Ei,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 58
59 GGH15 encoding for the ith hop: Ai Di,1 Di,0 Yi,1 = si,1 Ai+1+Ei,1 Si,1 Si,0 Ai+1 Yi,0 = si,0 Ai+1+Ei,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 2. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Di,b = Encoding( Si,b ) 59
60 GGH15 for L hops: A1 A2 AL AL+1 60
61 GGH15 for L hops: S1,1 A1 S1,0 A2 SL,1 AL SL,0 AL+1 Encode(si,b): 2 steps 61
62 GGH15 for L hops: Y1,1 = s1,1 A2+E1,1 S1,1 A1 S1,0 A2 Y1,0 = s1,0 A2+E1,0 AL Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b YL,1 = sl,1 AL+1+EL,1 SL,1 SL,0 AL+1 YL,0 = sl,0 AL+1+EL,0 62
63 GGH15 for L hops: A1 D1,1 D1,0 Y1,1 = s1,1 A2+E1,1 S1,1 S1,0 A2 Y1,0 = s1,0 A2+E1,0 AL DL,1 DL,0 YL,1 = sl,1 AL+1+EL,1 SL,1 SL,0 AL+1 YL,0 = sl,0 AL+1+EL,0 Encode(si,b): 2 steps 1. Yi,b = si,b Ai+1+Ei,b 2. Sample (by the trapdoor of Ai) small Di,b s.t. AiDi,b=Yi,b Let Di,b be Encoding(si,b) 63
64 GGH15 for L hops: A1 D1,1 A2 D1,0 AL DL,1 AL+1 DL,0 Review: What are public 64
65 Understanding the functionality of GGH15 65
66 Evaluation of GGH15 (prove by example): A1 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 Eval(0110) = A1D1,0D2,1D3,1D4,0 66
67 Evaluation of GGH15 (prove by example): ( S1,1 S1,0 A2 + E1,1 + E1,0 ) D2,1 D3,1 D4,1 D2,0 D3,0 D4,0 Eval(0110) = A1D1,0D2,1D3,1D4,0 = (s1,0a2+e1,0)d2,1d3,1d4,0 67
68 Evaluation of GGH15 (prove by example): S1,1 S1,0 A2 Eval(0110) D2,1 D3,1 D4,1 D2,0 D3,0 D4,0 + small = A1D1,0D2,1D3,1D4,0 = (s1,0a2+e1,0)d2,1d3,1d4,0 = s1,0a2d2,1d3,1d4,0 + small 68
69 Evaluation of GGH15 (prove by example): S1,1 S1,0 ( S2,1 S2,0 A3 + E2,1 + E2,0 Eval(0110) = = = = ) D3,1 D4,1 D3,0 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small 69
70 Evaluation of GGH15 (prove by example): S1,1 S1,0 S2,1 S2,0 Eval(0110) = = = = = A3 D3,1 D4,1 D3,0 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small 70
71 Evaluation of GGH15 (prove by example): S1,1 S1,0 Eval(0110) = = = = = = S2,1 S2,0 S3,1 S3,0 A4 D4,1 D4,0 + small A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small s1,0s2,1s3,1a4d4,0 + still smallish 71
72 Evaluation of GGH15 (prove by example): S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 A5 + small Eval(0110) = = = = = = = A1D1,0D2,1D3,1D4,0 (s1,0a2+e1,0)d2,1d3,1d4,0 s1,0a2d2,1d3,1d4,0 + small s1,0(s2,1a3+e2,1)d3,1d4,0 + small s1,0s2,1a3d3,1d4,0 + still small s1,0s2,1s3,1a4d4,0 + still smallish s1,0s2,1s3,1s4,0a5 + small 72
73 Evaluation of GGH15 (prove by example): S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 A5 Ev al ua te + small A1 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 73
74 Tool 2: Barrington s theorem (used to embed a circuit into the key) 74
75 Barrington 1986: log-depth boolean circuits can be recognized by subset products of permutation matrices of width 5. Example: how to represent an AND gate 1 0 P -1 Q -1 P Q I I I I Input wire 1 Input wire 2 Input wire 1 Input wire 2 Our construction only work for certain representation of Barrington (e.g. S 5) 75
76 Representation of the constraint predicate: branching program 1 B1,1 B2,1 B3,1... BL,1 0 B1,0 B2,0 B3,0... BL,0 Steps 1 2 Eval: Bz(i),x_z(i) = I or C 3... L 76
77 We set the secrets like: S S1,1 S2,1 S3,1 S4,1 S1,0 S2,0 S3,0 S4,0 S S S S Representation of secrets (to be encoded by GGH15): Bi,b si,b S S S e.g. I s= S P s= S S S S S S 77
78 NC1-CHCPRF from GGH15 Master public key: A1 AL+1 (L = #steps in BP) Master secret key: trapdoors of A1 AL, s1,0, s1,1,..., sl,0, sl,1, & J Constrained key gen: let Si,b:=Bi,b si,b, sample GGH15 encodings for Si,b Eval: F(x) = { JA1 Di,x_z(i) }2 (z: [L]->[n] is the step-to-input mapping) GGH15(Bi,b si,b) Constrained key: D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E
79 NC1-CHCPRF from GGH15 Master public key: A1 AL+1 (L = #steps in BP) Master secret key: trapdoors of A1 AL, s1,0, s1,1,..., sl,0, sl,1, & J Constrained key gen: let Si,b:=Bi,b si,b, sample GGH15 encodings for Si,b Eval: F(x) = { JA1 Di,x_z(i) }2 (z: [L]->[n] is the step-to-input mapping) Functionality check: when C(x)=1, F(x) = { JA1 Di,x_z(i) }2 = { J( I si,x_z(i) ) AL+1 + small noise }2 s{ J( I si,x_z(i) ) AL+1 }2 when C(x)=0, F(x) = { JA1 Di,x_z(i) }2 = { J( C si,x_z(i) ) AL+1 + small noise }2 s{ J( C si,x_z(i) ) AL+1 }2 79
80 NC1-CHCPRF from GGH15 * D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E Compare to GGM 80
81 NC1-CHCPRF from GGH15 * Bi,b si,b D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E original Our CHCPRF Compare to GGM fresh random 81
82 NC1-CHCPRF from GGH15 * Example: C(x)=0 iff x1=x2=1 query x=11 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E { I (s1,1s2,1s3,1s4,1 )A5 }2 Real What are we trying to simulate? Simulator 82
83 NC1-CHCPRF from GGH15 * Example: C(x)=0 iff x1=x2=1 query x=11 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E { I (s1,1s2,1s3,1s4,1 )A5 }2 Real AJ D1,1 D2,1 D3,1 D4,1 D1,0 { Uniform }2 D2,0 D3,0 D4,0 Proof by example with 1 input query Simulator 83
84 D1,1 D2,1 D3,1 D4,1 D1,0 D2,0 D3,0 D4,0 JA1+E D1,1 D2,1 D3,1 AJ D1,0 D2,0 D3,0 { J(I ( sz(x),x_z(x)))al+1 }2 Real Eval =... D4,1 { (JC-1A +E) D } c 1 z(x),x_z(x) 2 c { U Dz(x),x_z(x) }2 D4,0 c { Uniform }2 Simulator Proof of NC1-CHCPRF: - LWE with permutation-structured secrets + GPV sampling lemma - Close the trapdoor from the right to the left 84
85 Thanks for your time More in 85
Cryptography with Updates
Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU Garbled Circuits C Offline: slow Online: fast x C(x) Garbled Circuits C Offline:
More informationYilei Chen Craig Gentry Shai 2017
e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 07 976, Diffie, Hellman: We stand today on the brink
More informationPrivately Constraining and Programming PRFs, the LWE Way PKC 2018
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ 13,BW 13,BGI 14] 1 Ordinary evaluation algorithm Eval(msk,
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationFunctional Signatures and Pseudorandom Functions
Functional Signatures and Pseudorandom Functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Boyle,
More informationAdaptively Secure Succinct Garbled RAM with Persistent Memory
Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10, 2016 1 : June 11, 2016, Boston, heavy snow.
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationFrom Selective to Adaptive Security in Functional Encryption
From Selective to Adaptive Security in Functional Encryption Prabhanjan Ananth 1, Zvika Brakerski 2, Gil Segev 3, and Vinod Vaikuntanathan 4 1 University of California, Los Angeles, USA. 2 Weizmann Institute
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationFunction-Private Functional Encryption in the Private-Key Setting
Function-Private Functional Encryption in the Private-Key Setting Zvika Brakerski 1 and Gil Segev 2 1 Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
More informationMultiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh and Mark Zhandry Stanford University {dabo,zhandry}@cs.stanford.edu Abstract. In this work,
More informationForward & Backward Private Searchable Encryption from Constrained Cryptographic Primitives
Forward & Backward Private Searchable Encryption from Constrained Cryptographic Primitives Raphael Bost, Brice Minaud, Olga Ohrimenko ACM CCS 17 - Dallas, TX - 11/01/2017 Great Co-Authors Brice Minaud
More informationPROGRAM obfuscation is the process of making it unintelligible
INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2018, VOL. 64, NO. 2, PP. 173 178 Manuscript received January 24, 2018; revised March, 2018. DOI: 10.24425/119366 Block Cipher Based Public Key Encryption
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationFunctional Encryption: Deterministic to Randomized Functions from Simple Assumptions. Shashank Agrawal and David J. Wu
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal and David J. Wu Public-Key Functional Encryption [BSW11, O N10] x f(x) Keys are associated with deterministic
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationAttribute-Based Encryption. Allison Lewko, Microsoft Research
Attribute-Based Encryption Allison Lewko, Microsoft Research The Cast of Characters This talk will feature work by: Brent Waters Amit Sahai Vipul Goyal Omkant Pandey With special guest appearances by:
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationFunctional Encryption and its Impact on Cryptography
Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationUpdatable Functional Encryption
Updatable Functional Encryption Afonso Arriaga 1, Vincenzo Iovino 1, and Qiang Tang 1 SnT, University of Luxembourg, Luxembourg City, Luxembourg afonso.delerue@uni.lu, vincenzo.iovino@uni.lu, tonyrhul@gmail.com
More information5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits
5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits Brent Carmer Oregon State University Galois, Inc. bcarmer@galois.com Alex J. Malozemoff Galois, Inc. amaloz@galois.com
More informationOptimal-Rate Non-Committing Encryption in a CRS Model
Optimal-Rate Non-Committing Encryption in a CRS Model Ran Canetti Oxana Poburinnaya Mariana Raykova May 24, 2016 Abstract Non-committing encryption (NCE) implements secure channels under adaptive corruptions
More informationSecurity and Privacy through Modern Cryptography
Security and Privacy through Modern Cryptography David Wu Stanford University Cryptography in the 1970s How can two users who have never met before communicate securely with each other? m secrecy integrity
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationEfficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness
Efficient and Secure Multi-Party Computation with Faulty Majority and Complete Fairness Juan Garay Philip MacKenzie Ke Yang (Bell Labs) (Bell Labs) (CMU) 0 Multi-Party Computation (MPC) Parties È ½ È ¾
More informationRe-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security
Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices Nishanth Chandran 1, Melissa Chase 1, Feng-Hao
More informationProgram Obfuscation with Leaky Hardware
Program Obfuscation with Leaky Hardware The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Bitansky,
More informationWatermarking Public-key Cryptographic Functionalities and Implementations
Watermarking Public-key Cryptographic Functionalities and Implementations Foteini Baldimtsi 1, ggelos Kiayias 2, and Katerina Samari 3 1 George Mason University, US 2 University of Edinburgh and IOHK,
More informationAttribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs
Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie
More informationSecure Indexes. Eu-Jin Goh May 5, 2004
Secure Indexes Eu-Jin Goh eujin@cs.stanford.edu May 5, 2004 Abstract A secure index is a data structure that allows a querier with a trapdoor for a word x to test in O(1) time only if the index contains
More informationPredicate Encryption for Circuits from LWE
Predicate Encryption for Circuits from LWE Sergey Gorbunov 1, Vinod Vaikuntanathan 1, and Hoeteck Wee 2 1 MIT 2 ENS Abstract. In predicate encryption, a ciphertext is associated with descriptive attribute
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationObfuscation (IND-CPA Security Circular Security)
Obfuscation (IND-CPA Security Circular Security) Antonio Marcedone 1, and Claudio Orlandi 2 1 Scuola Superiore di Catania, University of Catania, Italy, amarcedone@cs.au.dk 2 Aarhus University, Denmark,
More information5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits
5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits Brent Carmer Oregon State University Galois, Inc. bcarmer@galois.com Alex J. Malozemoff Galois, Inc. amaloz@galois.com
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More informationSHE AND FHE. Hammad Mushtaq ENEE759L March 10, 2014
SHE AND FHE Hammad Mushtaq ENEE759L March 10, 2014 Outline Introduction Needs Analogy Somewhat Homomorphic Encryption (SHE) RSA, EL GAMAL (MULT) Pallier (XOR and ADD) Fully Homomorphic Encryption (FHE)
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationIndistinguishability Obfuscation with Non-trivial Efficiency
Indistinguishability Obfuscation with Non-trivial Efficiency Huijia Lin Rafael Pass Karn Seth Sidharth Telang January 4, 2016 Abstract It is well known that inefficient indistinguishability obfuscators
More informationImplementing Fully Key-Homomorphic Encryption in Haskell. Maurice Shih CS 240h
Implementing Fully Key-Homomorphic Encryption in Haskell Maurice Shih CS 240h Abstract Lattice based encryption schemes have many desirable properties. These include uantum and classic computer attack
More informationSeparating IND-CPA and Circular Security for Unbounded Length Key Cycles
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters Abstract A public key encryption scheme is said to be n-circular secure if no PPT adversary
More informationPractical Implementations of Program Obfuscators for Point Functions
Practical Implementations of Program Obfuscators for Point Functions Giovanni Di Crescenzo Lisa Bahler, Brian Coan Applied Communication Sciences Basking Ridge, NJ, 07920, USA Email: gdicrescenzo@appcomsci.com
More informationSurvey and New Idea for Attribute-Based Identification Scheme Secure against Reset Attacks ABSTRACT SECTION 1: INTRODUCTION
International Journal of Cryptology Research X(Y): (20ZZ) Survey and New Idea for Attribute-Based Identification Scheme Secure against Reset Attacks 1 Ji-Jian Chin, 2 Hiroaki Anada, 3 Seiko Arita, 2,4
More informationOn Virtual Grey Box Obfuscation for General Circuits
On Virtual Grey Box Obfuscation for General Circuits Nir Bitansky 1, Ran Canetti 1,2, Yael Tauman Kalai 3, and Omer Paneth 2 1 Tel Aviv University, Tel Aviv, Israel 2 Boston University, Boston, U.S.A.
More informationKey-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps
Key-policy Attribute-based Encryption for Boolean Circuits from Bilinear Maps Ferucio Laurenţiu Ţiplea and Constantin Cătălin Drăgan Department of Computer Science Al.I.Cuza University of Iaşi Iaşi 700506,
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationCryptography CS 555. Topic 8: Modes of Encryption, The Penguin and CCA security
Cryptography CS 555 Topic 8: Modes of Encryption, The Penguin and CCA security 1 Reminder: Homework 1 Due on Friday at the beginning of class Please typeset your solutions 2 Recap Pseudorandom Functions
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationAggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles
A preliminary version appears in ISA 2009, Lecture Notes in Computer Science, Springer-Verlag, 2009. Aggregate and Verifiably Encrypted Signatures from Multilinear Maps Without Random Oracles Markus Rückert
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationReplacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation
Replacing a Random Oracle: Full Domain Hash From Indistinguishability Obfuscation Susan Hohenberger, Amit Sahai, and Brent Waters 1 Johns Hopkins University, susan@cs.jhu.edu 2 UCLA, sahai@cs.ucla.edu
More informationUpgrading to Functional Encryption
Upgrading to Functional Encryption Saikrishna Badrinarayanan Dakshita Khurana Amit Sahai Brent Waters Abstract The notion of Functional Encryption (FE) has recently emerged as a strong primitive with several
More informationPrivacy Preserving Revocable Predicate Encryption Revisited
Privacy Preserving Revocable Predicate Encryption Revisited Kwangsu Lee Intae Kim Seong Oun Hwang Abstract Predicate encryption (PE) that provides both the access control of ciphertexts and the privacy
More informationForward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives
Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives Raphael Bost Brice Minaud Olga Ohrimenko Abstract Using dynamic Searchable Symmetric Encryption, a user with
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationCommunication Locality in Secure Multi-Party Computation
Communication Locality in Secure Multi-Party Computation How to Run Sublinear Algorithms in a Distributed Setting Elette Boyle 1, Shafi Goldwasser 2, and Stefano Tessaro 1 1 MIT CSAIL, eboyle@mit.edu,
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018
Unbounded Inner Product Functional Encryption from Bilinear Maps ASIACRYPT 2018 Junichi Tomida (NTT), Katsuyuki Takashima (Mitsubishi Electric) Functional Encryption[OʼNeill10, BSW11] msk Bob f(x) sk f
More informationClient-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity
Client-Server Concurrent Zero Knowledge with Constant Rounds and Guaranteed Complexity Ran Canetti 1, Abhishek Jain 2, and Omer Paneth 3 1 Boston University and Tel-Aviv University, canetti@bu.edu 2 Boston
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More information21 Software Obfuscation
21 Software Obfuscation Let us stop and think of the notions we have seen in cryptography. We have seen that under reasonable computational assumptions (such as LWE) we can achieve the following: CPA secure
More informationSome Advances in. Broadcast Encryption and Traitor Tracing
Some Advances in Broadcast Encryption and Traitor Tracing Duong Hieu Phan (Séminaire LIPN - 18 Novembre 2014 ) Duong Hieu Phan Some Advances in BE&TT Séminaire LIPN 1 / 42 Multi-receiver Encryption From
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh, Ananth Raghunathan, and Gil Segev Computer Science Department Stanford University, Stanford, CA 94305.
More informationFrom Selective IBE to Full IBE and Selective HIBE
From Selective IBE to Full IBE and Selective HIBE Nico Döttling 1 and Sanjam Garg 2 1 Friedrich-Alexander-University Erlangen-Nürnberg 2 University of California, Berkeley Abstract. Starting with any selectively
More informationImplementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens
Implementing Resettable UC-functionalities with Untrusted Tamper-proof Hardware-Tokens Nico Döttling, Thilo Mie, Jörn Müller-Quade, and Tobias Nilges Karlsruhe Institute of Technology, Karlsruhe, Germany
More informationOn Obfuscation with Random Oracles
On Obfuscation with Random Oracles Ran Canetti Yael Tauman Kalai Omer Paneth January 20, 2015 Abstract Assuming trapdoor permutations, we show that there eist function families that cannot be VBBobfuscated
More informationSecurity Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017
Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017 Hyung Tae Lee 1, Huaxiong Wang 2, Kai Zhang 3, 4 1 Chonbuk National University, Republic of Korea 2 Nanyang
More informationHomomorphic Encryption
Homomorphic Encryption Travis Mayberry Cloud Computing Cloud Computing Cloud Computing Cloud Computing Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationTurning HATE Into LOVE: Homomorphic Ad Hoc Threshold Encryption for Scalable MPC
Turning HATE Into LOVE: Homomorphic Ad Hoc Threshold Encryption for Scalable MPC Leonid Reyzin, Adam Smith, and Sophia Yakoubov Boston University Abstract. We explore large-scale fault-tolerant multiparty
More informationThe Magic of ELFs. Mark Zhandry Princeton University (Work done while at MIT)
The Magic of ELFs Mark Zhandry Princeton University (Work done while at MIT) Prove this secure: Enc(m) = ( TDP(r), H(r) m ) (CPA security, many- bit messages, arbitrary TDP) Random Oracles Random Oracle
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationMessage Authentication ( 消息认证 )
Message Authentication ( 消息认证 ) Sheng Zhong Yuan Zhang Computer Science and Technology Department Nanjing University 2017 Fall Sheng Zhong, Yuan Zhang (CS@NJU) Message Authentication ( 消息认证 ) 2017 Fall
More informationOn the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input
On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Daniel Wichs 2 1 IBM Research, T.J. Watson.
More information6 Pseudorandom Functions
6 Pseudorandom Functions A pseudorandom generator allows us to take a small amount of uniformly sampled bits, and amplify them into a larger amount of uniform-looking bits A PRG must run in polynomial
More informationUsing Fully Homomorphic Encryption for Statistical Analysis of Categorical, Ordinal and Numerical Data
Using Fully Homomorphic Encryption for Statistical Analysis of Categorical, Ordinal and Numerical Data Wen-jie Lu 1, Shohei Kawasaki 1, Jun Sakuma 1,2,3 1. University of Tsukuba, Japan 2. JST CREST 3.
More informationA New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE
A New Hierarchical ID-Based Cryptosystem and CCA-Secure PKE Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275,
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationTracing Insider Attacks in the Context of Predicate Encryption Schemes
Tracing Insider Attacks in the Context of Predicate Encryption Schemes Jonathan Katz and Dominique Schröder University of Maryland Email: {jkatz,schroder}@cs.umd.edu Abstract In a predicate encryption
More informationIron: Functional encryption using Intel SGX
Iron: Functional encryption using Intel SGX Sergey Gorbunov University of Waterloo Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh. Motivation DNA_A DB = Database of DNA sequences DNA_B
More informationKey Dependent Message Security and Receiver Selective Opening Security for Identity-Based Encryption
Key Dependent Message Security and Receiver Selective Opening Security for Identity-Based Encryption Fuyuki Kitagawa and Keisuke Tanaka Tokyo Institute of Technology, Tokyo, Japan kitagaw1,keisuke}@is.titech.ac.jp
More informationMulti-Channel Broadcast Encryption
This extended abstract appeared in Proceedings of the 2013 ACM Symposium on Information, computer and communications security (AsiaCCS âăź13 (May 7 10, 2013, Hangzhou, China, pages??????, ACM Press, New
More informationStructured Encryption and Controlled Disclosure
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Cloud Storage Security for Cloud Storage o Main concern: will my data be safe? o it will be encrypted o it will
More informationThe ElGamal Public- key System
Online Cryptography Course Dan Boneh Public key encryp3on from Diffie- Hellman The ElGamal Public- key System Recap: public key encryp3on: (Gen, E, D) Gen pk sk m c c m E D Recap: public- key encryp3on
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationBounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority
Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority Rafael Pass Massachusetts Institute of Technology pass@csail.mit.edu June 4, 2004 Abstract We show how to securely realize any
More informationTwo-round Secure MPC from Indistinguishability Obfuscation
Two-round Secure MPC from Indistinguishability Obfuscation Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Mariana Raykova 2 1 IBM T. J. Watson 2 SRI International Abstract. One fundamental complexity
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationEvaluating Branching Programs on Encrypted Data
Evaluating Branching Programs on Encrypted Data Yuval Ishai and Anat Paskin Computer Science Department, Technion yuvali@cs.technion.ac.il, anps83@gmail.com Abstract. We present a public-key encryption
More informationDelegatable Functional Signatures
Delegatable Functional Signatures Michael Backes MPI-SWS Saarland University Germany Sebastian Meiser Saarland University Germany October 10, 2013 Dominique Schröder Saarland University Germany Abstract
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationForward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives
Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives Raphaël Bost Direction Générale de l Armement & Université de Rennes 1, France raphael_bost@alumni.brown.edu
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica kmchung@iis.sinica.edu.tw 2 University of Maryland jkatz@cs.umd.edu 3 Virginia
More informationOn the Impossibility of Obfuscation with Auxiliary Input
On the Impossibility of Obfuscation with Auxiliary Input Shafi Goldwasser The Weizmann Institute shafi@theory.lcs.mit.edu Yael Tauman Kalai MIT yael@theory.lcs.mit.edu Abstract Barak et al. formalized
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica, kmchung@iis.sinica.edu.tw 2 University of Maryland, jkatz@cs.umd.edu 3 Virginia
More information