Security and Privacy through Modern Cryptography

Transcription

1 Security and Privacy through Modern Cryptography David Wu Stanford University

2 Cryptography in the 1970s How can two users who have never met before communicate securely with each other? m secrecy integrity authenticity

3 Modern Cryptography Machine Learning Modern Cryptography Personal Genomics Cloud Computing Computer Security Databases

4 Private Genome Analysis [Science 17] What gene causes a specific (rare) disease? joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes

5 Gene Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh A1BG ZZZ Each patient has a vector v where v i = 1 if patient has a rare variant in gene i Patients with Kabuki Syndrome Goal: Identify gene with most variants across all patients Each patient has a list of rare variants over 20,000 genes

6 Gene Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh A1BG ZZZ Each patient has a vector v where v i = 1 if patient has a rare variant in gene i Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Goal: Identify gene with most variants across all patients Works well for monogenic diseases

7 Gene Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh A1BG ZZZ Question: Can we perform this computation without seeing complete patient genomes? Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Goal: Identify gene with most variants across all patients Works well for monogenic diseases

8 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh r x r Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Patients secret share their data with two (non-colluding) hospitals

9 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh MPC Protocol Hospitals run a multiparty computation (MPC) protocol on pooled inputs Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Patients secret share their data with two (non-colluding) hospitals

10 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh MPC Protocol Experiments on real patient data Top variants (sorted): KMT2D, COL6A1, FLNB Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Known cause of disease

11 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh MPC Protocol Experiments on real patient data Top variants (sorted): KMT2D, COL6A1, FLNB Patients with Kabuki Syndrome Each patient has a list of rare variants over 20,000 genes Each hospital individually learns nothing about genomes

12 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh MPC Protocol Simulated two parties using two servers on Amazon EC2 (East Coast / West Coast): Experiments on real patient data 13.7 s 62.2 MB 15.8 s 72.7 MB Completes in under 10s 9.6 s 41.0 MB Top variants (sorted): KMT2D, COL6A1, FLNB Patients Number with of Kabuki Patients Syndrome End-to-End Time Communication Each patient has a list of Performance scales logarithmically with cohort size rare variants over 20,000 genes Each hospital individually learns nothing about genomes

13 Private Genome Analysis [Science 17] joint work with Boneh, Bejerano, Birgmeier, and Jagadeesh MPC Protocol Area of growing interest: annual idash competition for developing solutions for privacypreserving genomics Upcoming work: privacy-preserving genome-wide association studies (GWAS) framework with tens of thousands of genomes [CWB18; Nature Biotechnology] [Preliminary implementation won first place at idash 2015] Completes in under 10s Experiments on real patient data Top variants (sorted): KMT2D, COL6A1, FLNB Each hospital individually learns nothing about genomes

14 Modern Cryptography Machine Learning Modern Cryptography Personal Genomics Cloud Computing Computer Security Databases

15 My Research from 10,000 Feet Machine Learning [WFNL16] Modern Cryptography Personal Genomics [JWBBB17, CWB18] Cloud Computing [BISW17, BISW18] Computer Security [WZPM16, WTSB16] Databases [BGHWW13, CLWW16, LW16]

16 My Research from 10,000 Feet How can we build more secure systems? Machine Learning Modern Cryptography Personal Genomics Cloud Computing Computer Security [WZPM16, WTSB16] Databases

17 My Research from 10,000 Feet How do we search on encrypted data? Machine Learning Modern Cryptography Personal Genomics Cloud Computing Computer Security Databases [BGHWW13, CLWW16, LW16]

18 My Research from 10,000 Feet How can a user efficiently verify the correctness of a complex computation? Machine Learning Modern Cryptography Personal Genomics Cloud Computing [BISW17, BISW18] Computer Security Databases

19 My Research from 10,000 Feet Functional Encryption [AW17, KW17b] Pseudorandom Functions [BLW17, BKW17, BIPSW18] Lattice-Based Cryptography [KW17, KW18] Machine Learning [WFNL16] Modern Cryptography Personal Genomics [JWBBB17, CWB18] Cloud Computing [BISW17, BISW18] Computer Security [WZPM16, WTSB16] Databases [BGHWW13, CLWW16, LW16]

20 Talk Outline Functional Encryption Pseudorandom Functions Lattice-Based Cryptography Modern Cryptography Personal Genomics Part I: Searching on Encrypted Data Databases [BGHWW13, CLWW16, LW16]

21 Talk Outline Functional Encryption Pseudorandom Functions [BLW17, BKW17, BIPSW18] Lattice-Based Cryptography [KW17, KW18] Modern Cryptography Personal Genomics Part I: Part II: Searching on Encrypted Data Software Watermarking Databases

22 Part I: Searching on Encrypted Data Main theme: Developing new cryptographic primitives that enable secure systems design Machine Learning Modern Cryptography Personal Genomics Cloud Computing Computer Security Databases [BGHWW13, CLWW16, LW16]

23 Searching on Encrypted Data Database breaches have become the norm rather than the exception [Data taken from Vigilante.pw]

24 Searching on Encrypted Data

25 Why Not Encrypt? Because it would have hurt Yahoo s ability to index and search messages to provide new user services Jeff Bonforte (Yahoo SVP)

26 Searching on Encrypted Data sk Any client (e.g., web client, employee) who hold a secret key can query the database ID Name Age Zip Code 0 Alice Bob Emily Jeff encrypted database sk database server (hosted in the cloud)

27 Security Against Snapshot Adversaries ID Name Age Zip Code 0 Alice Bob Emily Jeff Adversary breaks into the database server and steals the contents of the database on disk (i.e., obtains a snapshot of the database) database server (hosted in the cloud)

28 Order-Revealing Encryption [BCLO09, BLRSZZ15] secret-key encryption scheme ct 1 = Enc(sk, x) ct 2 = Enc(sk, y) x > y public comparison function for ciphertexts Best-possible security: ciphertexts hide everything other than the ordering of the values

29 Order-Revealing Encryption [BCLO09, BLRSZZ15] secret-key encryption scheme ct 1 = Enc(sk, x) ct 2 = Enc(sk, y) x > y public comparison function for ciphertexts Enables queries on encrypted data without making significant changes to existing database architectures

30 Performance Existing Approaches Practical Theoretical Not drawn to scale Security

31 Performance Existing Approaches Practical constructions based on multilinear maps [BLRSZZ15] or obfuscation [GGGJKLSSZ14] Not drawn to scale Theoretical Security Best-possible security, but not implementable

32 Performance Existing Approaches Very efficient, but has additional leakage: Ciphertexts reveal half of the bits of the plaintext Difficult to quantify precise leakage OPE [BCLO09] Practical constructions based on multilinear maps [BLRSZZ15] or obfuscation [GGGJKLSSZ14] Not drawn to scale Theoretical Security Best-possible security, but not implementable

33 Performance Existing Approaches Used in systems like CryptDB [PRZB11] and by start-ups like SkyHigh Networks OPE [BCLO09] Practical constructions based on multilinear maps [BLRSZZ15] or obfuscation [GGGJKLSSZ14] Not drawn to scale Theoretical Security Best-possible security, but not implementable

34 Performance Existing Approaches Used in systems like CryptDB [PRZB11] and by start-ups like SkyHigh Networks OPE [BCLO09] Goal: New notion of ORE that is both practical and whose security can be precisely analyzed Practical Something in between? constructions based on multilinear maps [BLRSZZ15] or obfuscation [GGGJKLSSZ14] Not drawn to scale Theoretical Security Best-possible security, but not implementable

35 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis Pseudorandom function (PRF): function whose input-output behavior looks like that of a random function F k : 0,1 0,1,2 For each index i, apply a PRF (e.g., AES) to the first i 1 bits, then add b i (mod 3)

36 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis F k (ε) + 1 F k : 0,1 0,1,2 empty prefix For each index i, apply a PRF (e.g., AES) to the first i 1 bits, then add b i (mod 3)

37 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis F k (ε) + 1 F k : 0,1 0,1,2 F k (1) + 0 For each index i, apply a PRF (e.g., AES) to the first i 1 bits, then add b i (mod 3)

38 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis F k (ε) + 1 F k : 0,1 0,1,2 F k (1) + 0 F k (10) + 0 For each index i, apply a PRF (e.g., AES) to the first i 1 bits, then add b i (mod 3)

39 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis F k (ε) + 1 F k (1) + 0 F k (10) + 0 F k (100) + 1 F k (1001) + 0 F k (10010) + 1 same prefix = same ciphertext block first block that differs different prefix = value hidden F k (ε) + 1 F k (1) + 0 F k (10) + 0 F k (100) + 0 F k (1000) + 1 F k (10001) Recall: all additions happen modulo Additional leakage: first differing bit

40 A Simple ORE Construction [FSE 16] joint work with Chenette, Lewi, and Weis F k (ε) + 1 F k (1) + 0 F k (10) + 0 F k (100) + 1 F k (1001) + 0 F k (10010) + 1 same prefix = same ciphertext block first block that differs different prefix = value hidden F k (ε) + 1 F k (1) + 0 F k (10) + 0 F k (100) + 0 F k (1000) + 1 F k (10001) Key insight: Embed comparisons into Z Additional leakage: first differing bit

41 Inference Attacks [NKW15, DDC16, GSBNR17] ID Name Age Zip Code wpjoos 2wzXW8 SqX9l9 KqLUXE XdXdg8 y9gfps gwile3 MJ23b7 P6vKhW EgN0Jn S0pRJe ataejk orjre6 KQWy9U tpwf3m 4FBEO0 encrypted database + public information frequency and statistical analysis ID Name Age Zip Code??? Alice ?????? Bob ?????? Emily ?????? Jeff ??? plaintext recovery

42 Inference Attacks [NKW15, DDC16, GSBNR17] ORE schemes reveal order of ciphertexts and thus, are vulnerable to offline inference attacks Can we extend ORE to defend against offline inference attacks?

43 Defending Against Inference Attacks [CCS 16] Key primitive: order-revealing encryption scheme where ciphertexts have a decomposable structure joint work with Lewi Enc 37 Enc L 37 Enc R 35 ct L ct R ct L ct R ciphertexts naturally split into two components greater than

44 Defending Against Inference Attacks [CCS 16] joint work with Lewi Enc L 37 Enc R 35 ct L ct R right ciphertexts reveal nothing about underlying messages! comparison can be performed between left ciphertext and right ciphertext robustness against offline inference attacks!

45 Encrypted Range Queries [CCS 16] joint work with Lewi store right ciphertexts in sorted order ID Name Age Zip Code 0 Alice Bob Emily Jeff Age Enc R (31) Enc R (41) Enc R (45) Enc R (47) build encrypted index ID Enc(0) Enc(2) Enc(3) Enc(1) record IDs encrypted under independent key Name Enc R (Alice) ID Enc(0) Age ID Enc(1) Enc(0) Zip Code Enc(2) ID Enc(2) Enc R (38655) Enc(3) Enc(2) Enc(3) Enc R (46304) Enc(3) Enc(1) Enc R (60015) Enc(1) Enc R (Bob) Enc R (31) Enc R (Emily) Enc R (41) Enc R (Jeff) Enc R (45) Enc R (47) Enc R (68107) Enc(0) separate index for each searchable column, and using different ORE keys

46 Encrypted Range Queries [CCS 16] Encrypted database: ID Name Age Zip Code 0 Alice Bob Emily Jeff columns (other than ID) are encrypted using standard encryption scheme to perform range query, client provides left ciphertexts corresponding to its range Name ID Enc R (Alice) Enc(0) Age ID Enc(1) Enc(0) Zip Code Enc(2) ID Enc(2) Enc R (38655) Enc(3) Enc(2) Enc(3) Enc R (46304) Enc(3) Enc(1) Enc R (60015) Enc(1) Enc R (Bob) Enc R (31) Enc R (Emily) Enc R (41) Enc R (Jeff) Enc R (45) Enc R (47) Enc R (68107) joint work with Lewi Enc(0) encrypted search indices

47 Encrypted Range Queries [CCS 16] Encrypted database: ID Name Age Zip Code 0 Alice Bob Emily Jeff Encrypted database hides the contents! Name ID Enc R (Alice) Enc(0) Age ID Enc(1) Enc(0) Zip Code Enc(2) ID Enc(2) Enc R (38655) Enc(3) Enc(2) Enc(3) Enc R (46304) Enc(3) Enc(1) Enc R (60015) Enc(1) Enc R (Bob) Enc R (31) Enc R (Emily) Enc R (41) Enc R (Jeff) Enc R (45) Enc R (47) Enc R (68107) joint work with Lewi Enc(0) encrypted search indices

48 Performance Comparison Scheme Encrypt (μs) Compare (μs) ct (bytes) Security [BCLO09] OPE > Leaks half of the bits [CLWW16] ORE Leaks first-differing bit [LW16] ORE Left-right security 5Gen ORE [LMAC + 16] > 10 9 > 10 8 > 10 9 Best-possible security (80 bits of security) Measurements for encrypting 32-bit integers (with 128 bits of security)

49 Performance Comparison Scheme Encrypt (μs) Compare (μs) ct (bytes) Security [BCLO09] OPE > Leaks half of the bits [CLWW16] ORE Leaks first-differing bit [LW16] ORE Left-right security 5Gen ORE [LMAC + 16] > 10 9 > 10 8 > 10 9 Best-possible security (80 bits of security) The [LW16] scheme is 65x faster than OPE, but ciphertexts are 30x longer. Security is substantially better.

50 Performance The Landscape of ORE OPE [BCLO09] vulnerable to inference attacks [NKW15, DDC16, GSBNR16] ORE [CLWW16] Practical Theoretical ORE [LW16] subsequent work [CLOZ16, JP16] constructions based on multilinear maps [BLRSZZ15] or obfuscation [GGGJKLSSZ14] can provide offline security Not drawn to scale Security

51 Part II: Watermarking Software Functional Encryption Pseudorandom Functions [BLW17, BKW17, BIPSW18] Lattice-Based Cryptography [KW17, KW18] Machine Learning Modern Cryptography Personal Genomics Main theme: Realizing complex cryptographic functionalities from simple assumptions

52 Watermarking Software How do we prove ownership of software? Snippet of code used in Oracle copyright and patent dispute against Google

53 Watermarking Software How do we prove ownership of software? Claim: Android contained code that was copied (almost) verbatim from Oracle source code Not a new phenomenon: earlier case between AT&T and BSD regarding unauthorized use of code [Unix System Laboratories vs. Berkeley Software Design] Snippet of code used in Oracle copyright and patent dispute against Google

54 Watermarking Software How do we prove ownership of software? Claim: Android contained code that was copied (almost) verbatim from Oracle source code Question: Is there a rigorous notion of watermarking software? Snippet of code used in Oracle copyright and patent dispute against Google

55 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] CRYPTO Embed a mark within a program If mark is removed, then program is destroyed Two main algorithms (simplified): Mark C C : Takes a circuit C and outputs a marked circuit C Verify C 0,1 : Tests whether a circuit C is marked or not

56 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] CRYPTO Embed a mark within a program Notion extend to setting where watermark If mark is removed, then program is destroyed can be any string Two main algorithms (simplified): Mark C C : Takes a circuit C and outputs a marked circuit C Verify C 0,1 : Tests whether a circuit C is marked or not

57 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] Mark CRYPTO Functionality-preserving: On input a circuit C, the Mark algorithm outputs a circuit C where C x = C (x) on almost all inputs x

58 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] CRYPTO Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C x = C (x) on almost all inputs x The circuit C is unmarked: Verify C = 0

59 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] Adversary is very powerful: sees the code of the marked CRYPTO program C and has complete flexibility in crafting C Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C x = C (x) on almost all inputs x The circuit C is unmarked: Verify C = 0

60 Watermarking Software [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] CRYPTO Learning the original (unmarked) function gives a way to remove the watermark Notion only achievable for functions that are not learnable Focus has been on cryptographic functions

61 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17, KW17]

62 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO A function whose input-output Focus behavior of this unpredictable work: watermarking (looks PRFs [CHNVW16, BLW17, KW17] like a random function) e.g., AES

63 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO Program has PRF key k hard-wired Focus inside it of and this on work: input x, watermarking outputs PRFs [CHNVW16, BLW17, KW17] PRF(k, x)

64 Watermarking Cryptographic Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17, KW17] PRF(k, ) pseudorandom function Mark PRF(k, ) pseudorandom function CRYPTO Focus of this work: watermarking PRFs [CHNVW16, BLW17, KW17] Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, message authentication codes) Goal: build watermarking from standard and implementable assumptions

65 Brief Digression: The Landscape of Cryptography Cryptomania: cryptography from standard assumptions (e.g., factoring, discrete log, learning with errors) Encryption Signatures Multiparty Computation Zero-Knowledge Cryptomania Obfustopia Functional Encryption Non-Interactive Key Exchange Watermarking? Challenge: realizing these applications from standard and implementable assumptions Obfustopia: cryptography where we also have obfuscation

66 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) Starting point: puncturable PRF [BW13, BGI13, KPTZ13] Puncture x PRF key punctured key Can be used to evaluate the PRF on all points x x Privacy: Punctured key hides x

67 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) PRF key x 1 x 2 y 2 y 1 x 3 x y 3 PRF k, x

68 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Punctured key implements the same function except at x

69 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Translucent PRF: When punctured key is used to evaluate at x, output lies in a sparse, hidden subset of the range

70 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Secret key (associated with PRF family) can be used to test for Translucent PRF: When membership punctured key in is the used hidden to evaluate subspace at x, output lies in a sparse, hidden subset of the range

71 Key Notion: Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) punctured key x 1 x 2 y 2 y 1 x 3 x y y 3 Sets satisfying such properties are called translucent [CDNO97] Values in special set looks indistinguishable from a random value (without secret testing key)

72 Watermarking from Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) watermarked key x 1 x 2 y 2 y 1 x 3 x y y 3 Watermarked program just implements evaluation using punctured key (for the private translucent PRF)

73 Watermarking from Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) watermarked key x 1 x 2 y 2 y 1 x 3 x y y 3 Verification: to test whether a program C is watermarked, check whether C x is in the translucent set (using the testing key for the private translucent PRF)

74 Watermarking from Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) watermarked key x 1 x 2 y 2 y 1 x 3 x y y 3 Functionality-preserving: function differs at a single point Unremovable: the point x is hidden by privacy, and the value y looks like random element in range by translucency

75 Watermarking from Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) watermarked key x 1 x 2 y 2 y 1 x 3 x y Intuitively: special point x, y is used to embed the watermark; watermark is hidden by privacy and translucency properties Functionality-preserving: function differs at a single point Unremovable: the point x is hidden by privacy, and the value y looks like random element in range by translucency y 3

76 Watermarking from Private Translucent PRFs [CRYPTO 17] joint work with Kim (and recipient of Best Young-Researcher Paper Award) watermarked key x 1 x 2 y 2 y 1 x 3 x y y 3 Private translucent PRFs can be built from standard lattice assumptions

77 Watermarking from Private Translucent PRFs [CRYPTO 17] Cryptomania: cryptography from standard assumptions (e.g., factoring, discrete log, learning with errors) Encryption Signatures Multiparty Computation Zero-Knowledge Watermarking joint work with Kim (and recipient of Best Young-Researcher Paper Award) Obfustopia Functional Encryption Non-Interactive Key Exchange Watermarking Cryptomania Obfustopia: cryptography where we also have obfuscation

78 My Research from 10,000 Feet Functional Encryption [AW17, KW17b] Pseudorandom Functions [BLW17, BKW17, BIPSW18] Lattice-Based Cryptography [KW17, KW18] Machine Learning [WFNL16] Modern Cryptography Personal Genomics [JWBBB17, CWB18] Cloud Computing [BISW17, BISW18] Computer Security [WZPM16, WTSB16] Databases [BGHWW13, CLWW16, LW16]

79 Research Themes and Directions Developing new protocols for privacy-preserving computation Genome Privacy [JWBBB17, CWB18] Internet of Things [WTSB16] Machine Learning [WFNL16] Can we build general frameworks to enable scalable privacypreserving computation across domains?

80 Research Themes and Directions Build new cryptographic primitives that enable more secure systems Order-revealing encryption for searching on encrypted data [CLWW16, LW16] Succinct arguments for verifiable computation [BISW17, BISW18]

81 Research Themes and Directions Realizing complex functionalities from simple assumptions Factoring Discrete logarithm Pairings Learning with Errors 1970s What new functionalities are possible from standard (and implementable) assumptions? Thank you!