Advances in Cryptology – CRYPTO 2017

We construct a functional encryption scheme for circuits which simultaneously achieves and improves upon the security of the current best known, and incomparable, constructions from standard assumptions: reusable garbled circuits by Goldwasser, Kalai, Popa, Vaikuntanathan and Zeldovich (STOC 2013) [GKP+13] and predicate encryption for circuits by Gorbunov, Vaikuntanathan and Wee (CRYPTO 2015) [GVW15]. Our scheme is secure based on the learning with errors (LWE) assumption. Our construction implies: 1. A new construction for reusable garbled circuits that achieves stronger security than the only known prior construction [GKP+13]. 2. A new construction for bounded collusion functional encryption with substantial efficiency benefits: our public parameters and ciphertext size incur an additive growth of O(Q), where Q is the number of permissible queries (We note that due to a lower bound [AGVW13], the ciphertext size must necessarily grow with Q). Additionally, the ciphertext of our scheme is succinct, in that it does not depend on the size of the circuit. By contrast, the prior best construction [GKP+13,GVW12] incurred a multiplicative blowup of O(Q) in both the public parameters and ciphertext size. However, our scheme is secure in a weaker game than [GVW12]. Additionally, we show that existing LWE based predicate encryption schemes [AFV11,GVW15] are completely insecure against a general functional encryption adversary (i.e. in the “strong attribute hiding” game). We demonstrate three different attacks, the strongest of which is applicable even to the inner product predicate encryption scheme [AFV11]. Our attacks are practical and allow the attacker to completely recover x from its encryption Enc(x) within a polynomial number of queries. This illustrates that the barrier between predicate and functional encryption is not just a limitation of proof techniques. We believe these attacks shed significant light on the barriers to achieving full fledged functional encryption from LWE, even for simple functionalities such as inner product zero testing [KSW08,AFV11]. Along the way, we develop a new proof technique that permits the simulator to program public parameters based on keys that will be requested in the future. This technique may be of independent interest. c © International Association for Cryptologic Research 2017 J. Katz and H. Shacham (Eds.): CRYPTO 2017, Part I, LNCS 10401, pp. 3–35, 2017. DOI: 10.1007/978-3-319-63688-7 1

[1]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[2]  Marine Minier,et al.  Oblivious Multi-variate Polynomial Evaluation , 2009, INDOCRYPT.

[3]  Claudio Orlandi,et al.  A New Approach to Practical Active-Secure Two-Party Computation , 2012, IACR Cryptol. ePrint Arch..

[4]  Tamir Tassa,et al.  Oblivious evaluation of multivariate polynomials , 2013, J. Math. Cryptol..

[5]  Fabien Laguillaumie,et al.  Linearly Homomorphic Encryption from DDH , 2015, IACR Cryptol. ePrint Arch..

[6]  Vinod Vaikuntanathan,et al.  How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption , 2012, IACR Cryptol. ePrint Arch..

[7]  David Pointcheval,et al.  Encryption Switching Protocols , 2015, CRYPTO.

[8]  Luca Trevisan,et al.  On e-Biased Generators in NC0 , 2003, FOCS.

[9]  Ivan Damgård,et al.  Semi-Homomorphic Encryption and Multiparty Computation , 2011, IACR Cryptol. ePrint Arch..

[10]  Aravind Srinivasan,et al.  Randomized Distributed Edge Coloring via an Extension of the Chernoff-Hoeffding Bounds , 1997, SIAM J. Comput..

[11]  Benny Pinkas,et al.  Fairplay - Secure Two-Party Computation System , 2004, USENIX Security Symposium.

[12]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[13]  Emmanuel Thomé,et al.  Théorie algorithmique des nombres et applications à la cryptanalyse de primitives cryptographiques. (Algorithmic Number Theory and Applications to the Cryptanalysis of Cryptographical Primitives) , 2012 .

[14]  Vinod Vaikuntanathan,et al.  On the Non-Existence of Blockwise 2-Local PRGs with Applications to Indistinguishability Obfuscation , 2017, IACR Cryptol. ePrint Arch..

[15]  Tomas Toft,et al.  Secure Equality and Greater-Than Tests with Sublinear Online Complexity , 2013, ICALP.

[16]  Jacques Stern,et al.  Sharing Decryption in the Context of Voting or Lotteries , 2000, Financial Cryptography.

[17]  Michael J. Jacobson,et al.  Computing Discrete Logarithms in Quadratic Orders , 2015, Journal of Cryptology.

[18]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[19]  Ueli Maurer,et al.  A Hardcore Lemma for Computational Indistinguishability: Security Amplification for Arbitrarily Weak PRGs with Optimal Stretch , 2010, TCC.

[20]  Shweta Shinde,et al.  AUTOCRYPT: enabling homomorphic computation on servers to protect sensitive web content , 2013, CCS.

[21]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[22]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[23]  Rafael Pass,et al.  Indistinguishability Obfuscation from Semantically-Secure Multilinear Encodings , 2014, CRYPTO.

[24]  Yehuda Lindell,et al.  Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries , 2008, SCN.

[25]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, EUROCRYPT.

[26]  Torben P. Pedersen A Threshold Cryptosystem without a Trusted Party (Extended Abstract) , 1991, EUROCRYPT.

[27]  Eric Miles,et al.  Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 , 2016, CRYPTO.

[28]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[29]  Vinod Vaikuntanathan,et al.  Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE , 2012, EUROCRYPT.

[30]  Rafael Pass,et al.  Output-Compressing Randomized Encodings and Applications , 2016, TCC.

[31]  Stefano Tessaro,et al.  Indistinguishability Obfuscation from Trilinear Maps and Block-Wise Local PRGs , 2017, CRYPTO.

[32]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.

[33]  Leslie G. Valiant,et al.  Fast Parallel Computation of Polynomials Using Few Processors , 1983, SIAM J. Comput..

[34]  Ivan Damgård,et al.  Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encryption , 2003, CRYPTO.

[35]  Ivan Damgård,et al.  Efficient, Robust and Constant-Round Distributed RSA Key Generation , 2010, TCC.

[36]  Vinod Vaikuntanathan,et al.  Indistinguishability Obfuscation from DDH-Like Assumptions on Constant-Degree Graded Encodings , 2016, 2016 IEEE 57th Annual Symposium on Foundations of Computer Science (FOCS).

[37]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[38]  Aggelos Kiayias,et al.  Secure Games with Polynomial Expressions , 2001, ICALP.

[39]  Silvio Micali,et al.  How to play any mental game, or a completeness theorem for protocols with honest majority , 2019, Providing Sound Foundations for Cryptography.

[40]  Joe Kilian Secure Computation , 2011, Encyclopedia of Cryptography and Security.

[41]  Donald Beaver,et al.  Foundations of Secure Interactive Computing , 1991, CRYPTO.

[42]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[43]  Yehuda Lindell,et al.  Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer , 2011, Journal of Cryptology.

[44]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[45]  Ivan Damgård,et al.  A Practical Implementation of Secure Auctions Based on Multiparty Integer Computation , 2006, Financial Cryptography.

[46]  Ivan Damgård,et al.  Constant-Overhead Secure Computation of Boolean Circuits using Preprocessing , 2013, TCC.

[47]  Moni Naor,et al.  Oblivious Polynomial Evaluation , 2006, SIAM J. Comput..

[48]  Jonathan Katz,et al.  Threshold Cryptosystems Based on Factoring , 2002, ASIACRYPT.

[49]  Ee-Chien Chang,et al.  Faster Secure Arithmetic Computation Using Switchable Homomorphic Encryption , 2014, IACR Cryptol. ePrint Arch..

[50]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[51]  David Witmer,et al.  Goldreich's PRG: Evidence for Near-Optimal Polynomial Stretch , 2014, 2014 IEEE 29th Conference on Computational Complexity (CCC).

[52]  R. Cramer,et al.  Multiparty Computation from Threshold Homomorphic Encryption , 2000 .

[53]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[54]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[55]  Aggelos Kiayias,et al.  On the Portability of Generalized Schnorr Proofs , 2009, EUROCRYPT.

[56]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[57]  Yehuda Lindell,et al.  More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries , 2015, IACR Cryptol. ePrint Arch..

[58]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[59]  Ivan Damgård,et al.  Generic Lower Bounds for Root Extraction and Signature Schemes in General Groups , 2002, EUROCRYPT.

[60]  Meena Mahajan,et al.  Non-Commutative Arithmetic Circuits: Depth Reduction and Size Lower Bounds , 1998, Theor. Comput. Sci..