Cryptography with Updates
|
|
- Avis Baldwin
- 5 years ago
- Views:
Transcription
1 Cryptography with Updates Slides and research in collaboration with: Prabhanjan Ananth UCLA Aloni Cohen MIT Abhishek Jain JHU
2 Garbled Circuits C Offline: slow Online: fast x C(x)
3 Garbled Circuits C Offline: slow Example: C = a model of Alice s value on APPL stock. x = stock price C(x) = buy! Online: fast x C(x)
4
5 Garbled Circuits C Offline: slow C C' Alice wants to update to. Online: fast x C'(x)
6 Garbled Circuits C Offline: slow C C' Alice wants to update to. Does changing a single gate in C require garbling the circuit from scratch? Online: fast x C'(x)
7 Updatable Garbled Circuits Offline: slow C? Update: fast Online: fast x C'(x)
8 Updatable Garbled Circuits Offline: slow C? Update: fast 1. C? C'
9 Updatable Garbled Circuits Offline: slow C? Update: fast 1. C C'? 2.? is easy to compute.
10 Cryptography with Updates: Garbled Circuits Results Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08]
11 Cryptography with Updates: Garbled Circuits Results Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08]
12 Cryptography with Updates: Results Garbled Circuits Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08] Updatable Randomized Encodings (update C, x) General updates, from FE (or OWFs for bounded-many updates)
13 Cryptography with Updates: Results Garbled Circuits Update gates, from lattices Obfuscation Prior work: [AJS 17, GP 16] Attribute-based encryption (update secret key) Non-interactive proofs (update NP relation, instance) Prior work (for conjunctions): [Valiant 08] Updatable Randomized Encodings (update C, x) General updates, from FE (or OWFs for bounded-many updates)
14 Outline Definition of URE Related Work How to use URE: XYZ + URE Updatable XYZ Construction of Updatable Garbled Circuit
15 Updatable Randomized Encodings (URE) (C, x) + u = (C, x ) An update u can be: Change a gate Change a bit of C or x. Arbitrary* (*applying u done by circuit of fixed size)
16 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u = (C, x ) Randomized Encoding [IK 00, AIK 06]: Encoding is easier than evaluating C. The encoding only reveals C(x).
17 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u State Encode + u = (C, x )
18 Updatable Randomized Encodings (URE) Apply Update User C, x + u = C, x
19 Updatable Randomized Encodings (URE) Authority User Encode (C, x) C, x + u Encode + u = = (C, x ) C, x
20 Multiple Updates in Serial (C, x) u1 (C 1, x 1 ) u2 (C 2, x 2 )
21 Multiple Updates in Serial (C, x) u1 (C 1, x 1 ) u2 u1 u2 C, x C 1, x 1 (C 2, x 2 ) C 2, x 2
22 Multiple Updates in Serial (C, x) C, x C(x) u1 u1 (C 1, x 1 ) u2 u2 C 1, x 1 C 1 (x 1 ) (C 2, x 2 ) C 2, x 2 C 2 (x 2 )
23 Multiple Updates in Serial (C, x) C, x C(x) u1 u1 (C 1, x 1 ) u2 u2 C 1, x 1 C 1 (x 1 ) (C 2, x 2 ) C 2, x 2 C 2 (x 2 ) Updatable Garbled Circuit: single-use variant.
24 Key Challenge: Efficiency If u C, updating should be simple. u C, x Goal: u = poly( u ) More precisely, the time to compute u should be poly( u, k)
25 Key Challenge: Efficiency If u C, updating should be simple. u C, x Goal: u = poly( u ) More precisely, the time to compute u should be poly( u, k) Compactness (needed for some applications) independent of the output length of C.
26 SIMulation (Selective) Security View can be simulated by just knowing C(x), C 1 (x 1 ), C 2 (x 2 ), INDistinguishability Can t distinguish sequences that agree on C(x), C 1 (x 1 ), C 2 (x 2 ),
27 SIMulation (Selective) Security View can be simulated by just knowing C(x), C 1 (x 1 ), C 2 (x 2 ), Compactness impossible (follows from [AGVW13,CIJOPP13]) INDistinguishability Can t distinguish sequences that agree on C(x), C 1 (x 1 ), C 2 (x 2 ), Generic transformation from compact + IND to non-compact + SIM (as in FE)
28 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer msg σ + u = msg σ
29 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer Authority User msg σ C C + u + + u u = = = msg σ C C
30 Previous Work: Incremental Crypto [Bellare-Goldwasser-Goldreich 94, ] Signer Authority User msg σ C C + u + + u u = = = msg σ C C One Party Signer does everything in his head. Two Parties Authority generates the update; User applies the update.
31 Previous Work: Incremental / Patchable Obfuscation [Garg-Pandey 16, Ananth-Jain-Sahai 17] Incremental Obfuscation More restricted updates Lower bound on efficiency for updatable VBB Patchable Obfuscation (see Prabhnajan s talk tomorrow!) More general updates Updating many circuits with a single update
32 Previous Work: URE vs Reusable Garbled Circuits [Goldwasser-Kalai-Popa-Vaikuntanathan-Zeldovich 13] This work: URE with sequential updates Observation: For parallel updates Parallel URE Reusable GC C, x u1 u2 u3 u4 C, x 1 C, x 2 C, x 3 C, x 4
33 How to use URE XYZ + URE Updatable XYZ* MPC NIZK ABE FE IO URE *Formalized for a large class of XYZ: including ABE, FE, IO, NIWI, GC (selectively-ind-secure)
34 io + URE Updatable io C Obfuscate Updatable Randomized Encoding of (io,c)
35 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u)
36 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u) URE(iO, C )
37 io + URE Updatable io C u Obfuscate Encode Updatable Randomized Encoding of (io,c) URE.Encode(u) URE(iO, C ) Correctness and IND-Security inherited from URE, io Efficiency requires compactness.
38 Not-quite-conclusions
39 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models
40 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models Study specific primitives / update types Direct constructions New questions (e.g., efficiency lower bounds, multiupdating)
41 Not-quite-conclusions Updatable crypto largely unexplored. The right set of definitions, models Study specific primitives / update types Direct constructions New questions (e.g., efficiency lower bounds, multiupdating) Remaining time: Updatable Garbled Circuit from lattices!
42 Updatable Garbled Circuit C Garble C u Garble u C' C' Decode C' (x) x Garble x Evaluator only recovers C'(x)
43 Yao s Garbled Circuits [Yao 82,] Garble Circuit OR OR
44 Attempt 1: Just do it a c AND b Generate Update AND
45 Attempt 1: Just do it c a AND b Generate Update AND Apply Update
46 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!
47 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!
48 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!
49 Attempt 1: Just do it a c AND b Generate Update AND Efficiency: 1 gate changed 1 new garbled gate Correctness: Can decode the updated circuit, C x Security: Can still recover C(x)!
50 Fixing Security Idea: encrypt the original garbled gates Garble Circuit
51 Fixing Security Idea: encrypt the original garbled gates Garble Circuit Generate Update,,
52 Fixing Security Idea: encrypt the original garbled gates Garble Circuit Generate Update,, Efficiency: the update is large Correctness Security
53 Security + Efficiency Idea: punctured decryption key Garble Circuit 1
54 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} {1} Can decrypt all gates except #1. Can be build from puncturable PRFs (from OWFs). [Boneh-Waters 13, Boyle-Goldwasser-Ivan 13, Kiayias-Papadopoulos-Triandopoulos-Zacharias 13]
55 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} Efficiency Correctness Security
56 Security + Efficiency Idea: punctured decryption key Garble Circuit 1 Generate Update, {1} Efficiency Correctness Security Multiple Updates: Only supports 1 update.
57 Many updates Idea: punctured proxy re-encryption [ACJ17] Re-encrypt {2} 1 3 Re-encrypt {1} 3 Security: even given, hidden. 2 1
58 Many updates Idea: punctured proxy re-encryption [ACJ17] 1 2 Re-encrypt 1 Re-encrypt 3 3 {2} 3 {1} Can build from key-homomorphic, constrained PRFs (from LWE ) [Brakerski-Vaikuntanathan 15, Banarjee-Fuchsbauer-Peikert-Pietrzak-Stevens 15]
59 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1
60 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1, {1}
61 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2,, {1} {2}
62 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2 Garbled Input includes the terminal key.,, {1} {2}
63 Many updates Idea: punctured proxy re-encryption [ACJ17] Garble Circuit 1 Update 1 Update 2 Garbled Input includes the terminal key. Efficiency, Correctness, Security,, {1} {2}
64 M E R C I!
65 URE Approach: Relock and Release (C, x) C, x u1 R&R(u1) C(x) C 1, x 1 C 1 (x 1 ) u2 R&R(u2) C 2, x 2 C 2 (x 2 )
66 URE Approach: Relock and Release C, x R&R(u1) Relock C 1, x 1 Release C 1 (x 1 )
67 URE Approach: Relock and Release C, x R&R(u1) C 1, x 1 RE(C 1, x 1 ) Randomized Encoding
68 URE Approach: Relock and Release C, x R&R(u1) Garbled Input Garbled Circuit C 1, x 1 RE(C 1, x 1 ) Garbled Input Randomized Encoding
69 URE Approach: Relock and Release C, x R&R(u1) Garbled Input Garbled Circuit C 1, x 1 RE(C 1, x 1 ) Garbled Input Randomized Encoding Correctness: Decode RE(C, x ) and continue updating C, x. Security: Simulatable Efficiency: R&R(u) outputs > C bits, thus R&R(u) > C.
70 Relock and Release from Compact FE C, x Garbled Input (1 key, secret key, poly-secure, IND) R&R(u) Garbled Circuit C', x Garbled Input RE(C, x ) Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.
71 Relock and Release from Compact FE FE.SK(R&R-Garbler) C, x Garbled Input (1 key, secret key, poly-secure, IND) R&R(u) Garbled Circuit C', x RE(C, x ) Garbled Input Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.
72 Relock and Release from Compact FE FE.SK(R&R-Garbler) + C, x Garbled Input (1 key, secret key, poly-secure, IND) FE.Enc(u) R&R(u) Garbled Circuit C', x RE(C, x ) Garbled Input Randomized Encoding Idea: Delegate the computation of R&R(u) using FE.
73 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) u1 u2
74 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 u2
75 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) u2
76 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) u2
77 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) u2
78 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2
79 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 )
80 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2)
81 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2) C 2, x 2 RE(C 2, x 2 )
82 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) u2 Enc(u 2 ) R&R(u2) C 2, x 2 RE(C 2, x 2 ) C 2 (x)
83 Relock and Release from Compact FE (C, x) FE.SK C, x RE(C, x) C(x) u1 Enc(u 1 ) R&R(u1) C 1, x 1 RE(C 1, x 1 ) C 1 (x) Efficiency: FE. Enc is fast (by compactness of FE) Correctness: Decode RE(C 1, x 1 ) and continue updating C 1, x 1. Security: Func. Enc. Garb. Circ. Rand. Enc. C(x)
Constraint hiding constrained PRF for NC1 from LWE. Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition
Constraint hiding constrained PRF for NC1 from LWE Ran Canetti, Yilei Chen, # Eurocrypt 2017 special edition 1 2 Puncture! 3 4 Puncturable/constrained PRF [Boneh, Waters 13, Kiayias, Papadopoulos, Triandopoulos,
More informationBetter 2-round adaptive MPC
Better 2-round adaptive MPC Ran Canetti, Oxana Poburinnaya TAU and BU BU Adaptive Security of MPC Adaptive corruptions: adversary adversary can decide can decide who to who corrupt to corrupt adaptively
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationCrypto for PRAM from io (via Succinct Garbled PRAM)
Crypto for PRAM from io (via Succinct Garbled PRAM) Kai-Min Chung Academia Sinica, Taiwan Joint work with: Yu-Chi Chen, Sherman S.M. Chow, Russell W.F. Lai, Wei-Kai Lin, Hong-Sheng Zhou Computation in
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More informationFunctional Signatures and Pseudorandom Functions
Functional Signatures and Pseudorandom Functions The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Boyle,
More informationAdaptively Secure Succinct Garbled RAM with Persistent Memory
Adaptively Secure Succinct Garbled RAM with Persistent Memory Ran Canetti, Yilei Chen, Justin Holmgren, Mariana Raykova DIMACS workshop MIT Media Lab June 8~10, 2016 1 : June 11, 2016, Boston, heavy snow.
More informationApplication to More Efficient Obfuscation
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation (io)
More informationFunctional Encryption and its Impact on Cryptography
Functional Encryption and its Impact on Cryptography Hoeteck Wee ENS, Paris, France Abstract. Functional encryption is a novel paradigm for public-key encryption that enables both fine-grained access control
More informationFunction-Private Functional Encryption in the Private-Key Setting
Function-Private Functional Encryption in the Private-Key Setting Zvika Brakerski 1 and Gil Segev 2 1 Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Rehovot 76100,
More informationLaconic Zero Knowledge to. Akshay Degwekar (MIT)
Laconic Zero Knowledge to Public Key Cryptography Akshay Degwekar (MIT) Public Key Encryption (PKE) [Diffie-Hellman76, Rivest-Shamir-Adelman78, Goldwasser-Micali82] sk pk Public Key Encryption ct = Enc
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationThe Exact Round Complexity of Secure Computation
The Exact Round Complexity of Secure Computation Antigoni Polychroniadou (Aarhus University) joint work with Sanjam Garg, Pratyay Mukherjee (UC Berkeley), Omkant Pandey (Drexel University) Background:
More informationA Punctured Programming Approach to Adaptively Secure Functional Encryption
A Punctured Programming Approach to Adaptively Secure Functional Encryption Brent Waters University of Texas at Austin bwaters@cs.utexas.edu Abstract We propose the first construction for achieving adaptively
More informationSemi-Adaptive Security and Bundling Functionalities Made Generic and Easy
Semi-Adaptive Security and Bundling Functionalities Made Generic and Easy Rishab Goyal rgoyal@cs.utexas.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract Semi-adaptive
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationAttribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs
Attribute-Based Fully Homomorphic Encryption with a Bounded Number of Inputs Michael Clear and Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin {clearm, Ciaran.McGoldrick}@scss.tcd.ie
More informationMulti-Theorem Preprocessing NIZKs from Lattices
Multi-Theorem Preprocessing NIZKs from Lattices Sam Kim and David J. Wu Stanford University Soundness: x L, P Pr P, V (x) = accept = 0 No prover can convince honest verifier of false statement Proof Systems
More informationGarbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina
Garbled Circuits via Structured Encryption Seny Kamara Microsoft Research Lei Wei University of North Carolina Garbled Circuits Fundamental cryptographic primitive Possess many useful properties Homomorphic
More informationIndistinguishability Obfuscation with Non-trivial Efficiency
Indistinguishability Obfuscation with Non-trivial Efficiency Huijia Lin Rafael Pass Karn Seth Sidharth Telang January 4, 2016 Abstract It is well known that inefficient indistinguishability obfuscators
More informationBlind Machine Learning
Blind Machine Learning Vinod Vaikuntanathan MIT Joint work with Chiraag Juvekar and Anantha Chandrakasan Problem 1. Blind Inference (application: Monetizing ML) 6)(asdpasfz $0.1 Convolutional NN MRI Image
More informationObfuscation (IND-CPA Security Circular Security)
Obfuscation (IND-CPA Security Circular Security) Antonio Marcedone 1, and Claudio Orlandi 2 1 Scuola Superiore di Catania, University of Catania, Italy, amarcedone@cs.au.dk 2 Aarhus University, Denmark,
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh, Ananth Raghunathan, and Gil Segev Computer Science Department Stanford University, Stanford, CA 94305.
More informationImplementing Fully Key-Homomorphic Encryption in Haskell. Maurice Shih CS 240h
Implementing Fully Key-Homomorphic Encryption in Haskell Maurice Shih CS 240h Abstract Lattice based encryption schemes have many desirable properties. These include uantum and classic computer attack
More informationSecure Multiparty RAM Computation in Constant Rounds,
Secure Multiparty RAM Computation in Constant Rounds, Sanjam Garg 1, Divya Gupta 1, Peihan Miao 1, and Omkant Pandey 2 1 University of California, Berkeley {sanjamg,divyagupta2016,peihan}@berkeley.edu
More informationFrom Selective to Adaptive Security in Functional Encryption
From Selective to Adaptive Security in Functional Encryption Prabhanjan Ananth 1, Zvika Brakerski 2, Gil Segev 3, and Vinod Vaikuntanathan 4 1 University of California, Los Angeles, USA. 2 Weizmann Institute
More informationAn Overview of Active Security in Garbled Circuits
An Overview of Active Security in Garbled Circuits Author: Cesar Pereida Garcia Supervisor: Pille Pullonen Department of Mathematics and Computer Science. University of Tartu Tartu, Estonia. December 15,
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More information5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits
5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits Brent Carmer Oregon State University Galois, Inc. bcarmer@galois.com Alex J. Malozemoff Galois, Inc. amaloz@galois.com
More informationOn the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input
On the Implausibility of Differing-Inputs Obfuscation and Extractable Witness Encryption with Auxiliary Input Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Daniel Wichs 2 1 IBM Research, T.J. Watson.
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica, kmchung@iis.sinica.edu.tw 2 University of Maryland, jkatz@cs.umd.edu 3 Virginia
More informationRe-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security
Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and instantiations from lattices Nishanth Chandran 1, Melissa Chase 1, Feng-Hao
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationVlad Kolesnikov Bell Labs
Vlad Kolesnikov Bell Labs DIMACS/Northeast Big Data Hub Workshop on Privacy and Security for Big Data Apr 25, 2017 You are near Starbucks; here is a special Legislation may require user consent each time
More informationCryptography CS 555. Topic 11: Encryption Modes and CCA Security. CS555 Spring 2012/Topic 11 1
Cryptography CS 555 Topic 11: Encryption Modes and CCA Security CS555 Spring 2012/Topic 11 1 Outline and Readings Outline Encryption modes CCA security Readings: Katz and Lindell: 3.6.4, 3.7 CS555 Spring
More informationSecure Function Evaluation using an FPGA Overlay Architecture
Secure Function Evaluation using an FPGA Overlay Architecture Xin Fang Stratis Ioannidis Miriam Leeser Dept. of Electrical and Computer Engineering Northeastern University Boston, MA, USA FPGA 217 1 Introduction
More informationLecture 7.1: Private-key Encryption. Lecture 7.1: Private-key Encryption
Private-key Encryption Alice and Bob share a secret s {0, 1} n Private-key Encryption Alice and Bob share a secret s {0, 1} n Encryption and Decryption algorithms are efficient Private-key Encryption Alice
More informationYilei Chen Craig Gentry Shai 2017
e t a d i d n a c f s o r s o e t s a y c l s a u n f a b t o p y m r a C r g o r p g n i h c n a br Yilei Chen Craig Gentry Shai Halevi @Eurocrypt 07 976, Diffie, Hellman: We stand today on the brink
More informationNotes for Lecture 5. 2 Non-interactive vs. Interactive Key Exchange
COS 597C: Recent Developments in Program Obfuscation Lecture 5 (9/29/16) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 5 1 Last Time Last time, we saw that we can get public
More informationIncremental Program Obfuscation
Incremental Program Obfuscation Sanjam Garg University of California, Berkeley Omkant Pandey Stony Brook University, New York Abstract Recent advances in program obfuscation suggest that it is possible
More informationOn Protecting Cryptographic Keys Against Continual Leakage
On Protecting Cryptographic Keys Against Continual Leakage Ali Juma Yevgeniy Vahlis University of Toronto {ajuma,evahlis}@cs.toronto.edu April 13, 2010 Abstract Side-channel attacks have often proven to
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More informationKey Dependent Message Security and Receiver Selective Opening Security for Identity-Based Encryption
Key Dependent Message Security and Receiver Selective Opening Security for Identity-Based Encryption Fuyuki Kitagawa and Keisuke Tanaka Tokyo Institute of Technology, Tokyo, Japan kitagaw1,keisuke}@is.titech.ac.jp
More informationOptimal-Rate Non-Committing Encryption in a CRS Model
Optimal-Rate Non-Committing Encryption in a CRS Model Ran Canetti Oxana Poburinnaya Mariana Raykova May 24, 2016 Abstract Non-committing encryption (NCE) implements secure channels under adaptive corruptions
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationCRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS
CRYPTOGRAPHY AGAINST CONTINUOUS MEMORY ATTACKS Yevgeniy Dodis, Kristiyan Haralambiev, Adriana Lopez-Alt and Daniel Wichs NYU NY Area Crypto Reading Group Continuous Leakage Resilience (CLR): A Brief History
More informationThreshold Cryptosystems from Threshold Fully Homomorphic Encryption
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Sam Kim Stanford University Joint work with Dan Boneh, Rosario Gennaro, Steven Goldfeder, Aayush Jain, Peter M. R. Rasmussen, and Amit
More informationUpdatable Functional Encryption
Updatable Functional Encryption Afonso Arriaga 1, Vincenzo Iovino 1, and Qiang Tang 1 SnT, University of Luxembourg, Luxembourg City, Luxembourg afonso.delerue@uni.lu, vincenzo.iovino@uni.lu, tonyrhul@gmail.com
More informationMultiparty Computation Secure Against Continual Memory Leakage
Multiparty Computation Secure Against Continual Memory Leakage Elette Boyle MIT eboyle@mit.edu Shafi Goldwasser MIT and Weizmann shafi@mit.edu Abhishek Jain UCLA abhishek@cs.ucla.edu Yael Tauman Kalai
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationCryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data
Cryptographic Agents: Towards a Unified Theory of Computing on Encrypted Data Shashank Agrawal 1, Shweta Agrawal 2, and Manoj Prabhakaran 1 University of Illinois Urbana-Champaign {sagrawl2,mmp}@illinois.edu
More informationSymmetric-Key Cryptography
Symmetric-Key Cryptography CS 161: Computer Security Prof. Raluca Ada Popa Sept 13, 2016 Announcements Project due Sept 20 Special guests Alice Bob The attacker (Eve - eavesdropper, Malice) Sometimes Chris
More informationFunctional Encryption from (Small) Hardware Tokens
Functional Encryption from (Small) Hardware Tokens Kai-Min Chung 1, Jonathan Katz 2, and Hong-Sheng Zhou 3 1 Academia Sinica kmchung@iis.sinica.edu.tw 2 University of Maryland jkatz@cs.umd.edu 3 Virginia
More informationScanned by CamScanner
Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Scanned by CamScanner Symmetric-Key Cryptography CS 161: Computer Security
More informationUltra-Lightweight Cryptography
Ultra-Lightweight Cryptography F.-X. Standaert UCL Crypto Group European brokerage event, Cryptography Paris, September 2016 Outline Introduction Symmetric cryptography Hardware implementations Software
More informationTwo-round Secure MPC from Indistinguishability Obfuscation
Two-round Secure MPC from Indistinguishability Obfuscation Sanjam Garg 1, Craig Gentry 1, Shai Halevi 1, and Mariana Raykova 2 1 IBM T. J. Watson 2 SRI International Abstract. One fundamental complexity
More informationOn Obfuscation with Random Oracles
On Obfuscation with Random Oracles Ran Canetti Yael Tauman Kalai Omer Paneth January 20, 2015 Abstract Assuming trapdoor permutations, we show that there eist function families that cannot be VBBobfuscated
More informationCSC 5930/9010 Cloud S & P: Cloud Primitives
CSC 5930/9010 Cloud S & P: Cloud Primitives Professor Henry Carter Spring 2017 Methodology Section This is the most important technical portion of a research paper Methodology sections differ widely depending
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationPROGRAM obfuscation is the process of making it unintelligible
INTL JOURNAL OF ELECTRONICS AND TELECOMMUNICATIONS, 2018, VOL. 64, NO. 2, PP. 173 178 Manuscript received January 24, 2018; revised March, 2018. DOI: 10.24425/119366 Block Cipher Based Public Key Encryption
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationPrivately Constraining and Programming PRFs, the LWE Way PKC 2018
Privately Constraining and Programming PRFs, the LWE Way Chris Peikert Sina Shiehian PKC 2018 1 / 15 Constrained Pseudorandom Functions [KPTZ 13,BW 13,BGI 14] 1 Ordinary evaluation algorithm Eval(msk,
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More information- Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06
Information: - Presentation 25 minutes + 5 minutes for questions. - Presentation is on Wednesday, 11:30-12:00 in B05-B06 - Presentation is after: Abhi Shelat (fast two-party secure computation with minimal
More informationMichael Zohner (TU Darmstadt)
ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Daniel Demmler and Thomas Schneider 11.02.14 ABY: Mixed-Protocol Secure Two-Party
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationIron: Functional encryption using Intel SGX
Iron: Functional encryption using Intel SGX Sergey Gorbunov University of Waterloo Joint work with Ben Fisch, Dhinakaran Vinayagamurthy, Dan Boneh. Motivation DNA_A DB = Database of DNA sequences DNA_B
More informationSpatial Encryption. March 17, Adam Barth, Dan Boneh, Mike Hamburg
Adam Barth Dan Boneh Mike Hamburg March 17, 2008 Traditional Public-Key Infrastructure CA Alice Bob Traditional Public-Key Infrastructure CA PK Bob, proof of identity Alice Bob Traditional Public-Key Infrastructure
More informationDefining Multi-Party Computation
2 Defining Multi-Party Computation In this chapter, we introduce notations and conventions we will use throughout, define some basic cryptographic primitives, and provide a security definition for multi-party
More informationSeparating IND-CPA and Circular Security for Unbounded Length Key Cycles
Separating IND-CPA and Circular Security for Unbounded Length Key Cycles Rishab Goyal Venkata Koppula Brent Waters Abstract A public key encryption scheme is said to be n-circular secure if no PPT adversary
More informationStructured Encryption and Controlled Disclosure
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Cloud Storage Security for Cloud Storage o Main concern: will my data be safe? o it will be encrypted o it will
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationProtecting Cryptographic Keys against Continual Leakage
Protecting Cryptographic Keys against Continual Leakage Ali Juma and Yevgeniy Vahlis Department of Computer Science, University of Toronto {ajuma,evahlis}@cs.toronto.edu Abstract. Side-channel attacks
More informationLecture 02: Historical Encryption Schemes. Lecture 02: Historical Encryption Schemes
What is Encryption Parties involved: Alice: The Sender Bob: The Receiver Eve: The Eavesdropper Aim of Encryption Alice wants to send a message to Bob The message should remain hidden from Eve What distinguishes
More informationAn Exploration of Group and Ring Signatures
An Exploration of Group and Ring Signatures Sarah Meiklejohn February 4, 2011 Abstract Group signatures are a modern cryptographic primitive that allow a member of a specific group (e.g., the White House
More informationSecure Outsourced Garbled Circuit Evaluation for Mobile Devices
Secure Outsourced Garbled Circuit Evaluation for Mobile Devices Henry Carter, Georgia Institute of Technology Benjamin Mood, University of Oregon Patrick Traynor, Georgia Institute of Technology Kevin
More informationSecure Computation Against Adaptive Auxiliary Information
Secure Computation Against Adaptive Auxiliary Information Elette Boyle 1, Sanjam Garg 2, Abhishek Jain 3, Yael Tauman Kalai 4, and Amit Sahai 2 1 MIT, eboyle@mit.edu 2 UCLA, {sanjamg,sahai}@cs.ucla.edu
More informationEfficient MPC Optimizations for Garbled Circuits
CIS 2018 Efficient MPC Optimizations for Garbled Circuits Claudio Orlandi, Aarhus University Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active
More informationTurning HATE Into LOVE: Homomorphic Ad Hoc Threshold Encryption for Scalable MPC
Turning HATE Into LOVE: Homomorphic Ad Hoc Threshold Encryption for Scalable MPC Leonid Reyzin, Adam Smith, and Sophia Yakoubov Boston University Abstract. We explore large-scale fault-tolerant multiparty
More informationStrong Privacy for RFID Systems from Plaintext-Aware Encryption
Strong Privacy for RFID Systems from Plaintext-Aware Encryption Khaled Ouafi and Serge Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE http://lasec.epfl.ch/ supported by the ECRYPT project SV strong
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationForward & Backward Private Searchable Encryption from Constrained Cryptographic Primitives
Forward & Backward Private Searchable Encryption from Constrained Cryptographic Primitives Raphael Bost, Brice Minaud, Olga Ohrimenko ACM CCS 17 - Dallas, TX - 11/01/2017 Great Co-Authors Brice Minaud
More information5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits
5Gen-C: Multi-input Functional Encryption and Program Obfuscation for Arithmetic Circuits Brent Carmer Oregon State University Galois, Inc. bcarmer@galois.com Alex J. Malozemoff Galois, Inc. amaloz@galois.com
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationFully Succinct Garbled RAM
Fully Succinct Garbled RAM Ran Canetti Tel-Aviv University and Boston University canetti@bu.edu Justin Holmgren MIT holmgren@csail.mit.edu ABSTRACT We construct the first fully succinct garbling scheme
More informationSecurity Protections for Mobile Agents
Stephen R. Tate Dept. of Computer Science and Engineering University of North Texas Talk describes joint work with Ke Xu and Vandana Gunupudi Research supported by the National Science Foundation class
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationPredicate Encryption for Circuits from LWE
Predicate Encryption for Circuits from LWE Sergey Gorbunov 1, Vinod Vaikuntanathan 1, and Hoeteck Wee 2 1 MIT 2 ENS Abstract. In predicate encryption, a ciphertext is associated with descriptive attribute
More informationMichael Zohner (TU Darmstadt)
ABY -A Framework for Efficient Mixed-Protocol Secure Two-Party Computation Michael Zohner (TU Darmstadt) Joint work with Daniel Demmler and Thomas Schneider 19.02.15 ABY: Mixed-Protocol Secure Two-Party
More informationLeakage-Resilient Zero Knowledge
Leakage-Resilient Zero Knowledge Sanjam Garg, Abhishek Jain, and Amit Sahai UCLA {sanjamg,abhishek,sahai}@cs.ucla.edu Abstract. In this paper, we initiate a study of zero knowledge proof systems in the
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationNon-interactive and Output Expressive Private Comparison from Homomorphic Encryption
Non-interactive and Output Expressive Private Comparison from Homomorphic Encryption Wen-jie Lu 1, Jun-jie Zhou 1, Jun Sakuma 1,2,3 1.University of Tsukuba 2.JST/CREST 3.RIKEN AIP Center Target Function:
More informationProgram Obfuscation with Leaky Hardware
Program Obfuscation with Leaky Hardware The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation As Published Publisher Bitansky,
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More information