Download presentation
Presentation is loading. Please wait.
1
Non-Trivial Witness Encryption and Null-ππ from Standard Assumptions
Zvika Brakerski (Weizmann), Aayush Jain (UCLA), Ilan Komargodski (Cornell), Alain PasselΓ¨gue (UCLA β Inria), Daniel Wichs (Northeastern U.) 0β-0β15β bonjour a tous, je suis tres heureux dβetre ici pour vous parler ce projet qui porte sur lβetude des fonctions pseudo-aleatoires. Je suis actuellement en postdoc a UCLA depuis un peu plus dβun an et jβai fait ma these auparavant a lβENS
2
motivation I want to know if a certain statement is valid
I am willing to give a reward for the answer I want this reward to remain safe if the statement is invalid e.g. βfactoring is in πβ e.g bitcoin proof public prove Riemann, 1000bitcoins βstatementβ /19
3
witness encryption [GGSW14]
πΏ an ππ-language induced by a relation π
πΏ : 0,1 π Γ 0,1 π β 0,1 statement π witness π€ if π βπΏ πΈππ 1 π ,π ,π β π πΈππ 1 π ,π ,πβ² keyless no security guarantee regarding π if π βπΏ definition for NP π€ with π
πΏ π ,π€ =1 if π βπΏ π /19
4
witness encryption [GGSW14]
if π βπΏ πΈππ 1 π ,π ,ππππππ
β π πΈππ 1 π ,π ,ππππ
ππ reward can be claimed β the statement is valid definition for NP π€ with π
πΏ π ,π€ =1 if π βπΏ πππ€πππ /19
5
applications [GGSW14,KNY14]
public-key encryption, identity-based encryption attribute-based encryption for π/ππππ¦ secret-sharing for monotone ππ SS for NP, ... /19
6
state of the art only known from multilinear maps, obfuscation, ...
security of these notions is still very uncertain can we build non-trivial witness encryption from standard assumptions? here is a construction! here is how to break it! [GGH13, CLT13, GGH15, MZ18, ...] [CHL+15, CGH+15, MSZ16, CFL+16, ...] io, mmaps... LWE? /19
7
non-trivial efficiency
non-trivial efficiency first introduced in the context of ππ [LPST16] πΆ correctness: πͺ β‘πͺ security: πͺβ‘ πͺ β² β πͺ β π πͺ β² ππ πΆ trivial: truth-table πΆ πΆ( 0 π ) πΆ( 1 π ) β¦ πΆ non-trivial IO + LWE => IO 2 π β
ππ’π‘ππ’π‘ = 2 π β
ππππ¦ πΆ /19
8
importance of non-trivial constructions
non-trivial efficiency first introduced in the context of ππ [LPST16] πΆ correctness: πͺ β‘πͺ security: πͺβ‘ πͺ β² β πͺ β π πͺ β² ππ πΆ non-trivial: πΆ πππ πΆ non-trivial IO + LWE => IO π ππΈ β
ππππ πͺ with πΈ<π thm: [LPST16] πΎ-πππ with πΎ=Ξ© 1 +LWEβ full-fledged ππ used in most ππ constructions since then [LV16, BNPW16, Lin17, AS17, LT17, Agr18, LM18, AJKS18, ...] /19
9
what is trivial/non-trivial for WE?
π
πΏ : 0,1 π Γ 0,1 π β 0,1 if π βπΏ πΈππ 1 π ,π ,π β π πΈππ 1 π ,π ,πβ² if π βπΏ π€ with π
πΏ π ,π€ =1 correctness only if πβπ³ security only if πβπ³ π trivial construction: to encrypt (π ,π), check if π βπΏ (e.g., test π
πΏ π ,π€ ,βπ€β 0,1 π ) if πβπ³: output π (correctness) else: output β₯ (security) π¬ππ run-time = π π β
ππππ(π,π,π) trivial in 2^m, non trivial? non-trivial: π¬ππ run-time = π πΈπ β
ππππ(π,π,π) with πΈ<π we call it πΈ-XWE(πΎ-EXponentially efficient Witness Encryption) /19
10
our results we construct π/π-XWE (run-time 2 π/2 β
ππππ¦(π,π,π)):
for π΅π· from πππ for π΅π· languages with π΅ πͺ π verification from ππππ we construct π/π-Xnull-ππΆ from πππ efficiency trade-off for XWE from LWE this talk XWE, XNiO /19
11
attribute-based encryption
public attribute private message πΈπ π π π π΄,π can delegate partial decryption keys π π π technical slides predicate /19
12
attribute-based encryption
public attribute private message if π π΄ =0 πΈπ π π π π΄,π πΈπ π π π π΄,π β π πΈπ π π π π΄,πβ² can delegate partial decryption keys π π π π π π technical slides if π π΄ =1 predicate π /19
13
Β½-XWE from ABE πΏ an ππ-language induced by a relation πΉ π³ : π,π π Γ π,π π β π,π πβπ³ββπβ π,π π π.π. πΉ π³ π,π =π for any fixed statement π β 0,1 π , consider the circuit πΉ π β πΉ π³ π,β
πΉ π : π,π π/π Γ π,π π/π β{π,π} πΉ π : π,π π β{π,π} π€ 1 technical slides π€ 2 π
π ( π€ 1 || π€ 2 ) π
π π€ π€ 2 π/2 2 π/2 /19
14
Β½-XWE from ABE πΏ an ππ-language induced by a relation πΉ π³ : π,π π Γ π,π π β π,π πβπ³ββπβ π,π π π.π. πΉ π³ π,π =π for any fixed statement π β 0,1 π , consider the circuit πΉ π βπΉ π,β
how to encrypt (π,π) for a fixed statement π ? πΉ π : π,π π/π Γ π,π π/π β{π,π} π¬π π ππ ( π π ,π) π€ 1 technical slides ππ πΉ π (β
| π π ) π€ 2 π
π ( π€ 1 || π€ 2 ) π
π π€ π€ 2 π/2 2 π/2 /19
15
Β½-XWE from ABE π
π π€ π€ πΉ π : π,π π/π Γ π,π π/π β{π,π}
πΉ π : π,π π/π Γ π,π π/π β{π,π} how to encrypt (π,π) for a fixed statement π ? correctness: πβπ³ββπ= π π | π π π.π. πΉ π π π | π π =π security: πβπ³ββπ= π π | π π , πΉ π π π | π π =π π¬π π ππ ( π π ,π) π
π π€ π€ 2 π/2 π¬π π ππ ( π π ,π) ππ πΉ π (β
| π π ) β π π¬π π ππ ( π π ,πβ²) ππ πΉ π (β
| π π ) technical slides π ππ πΉ π (β
| π π ) /19
16
Β½-XWE from ABE πΈππ 1 π ,π ,π is formed of:
πΏ an ππ-language induced by a relation π
: 0,1 π Γ 0,1 π β 0,1 πΈππ 1 π ,π ,π is formed of: π π/π ABE ciphertexts πΈπ π π π π€ 1 ,π π€ 1 β 0,1 π/2 π π/π ABE partial keys π π π
π (β
| π€ 2 ) π€ 2 β 0,1 π/2 each ciphertext/partial key can be generated in time ππππ¦(π,π,π) overall run-time: π π/π β
ππππ π,π,π βπ/π-XWE ABE requirement: can generate keys for predicates πΉ π β
π π technical slides /19
17
instantiations from standard assumptions
instantiated with known ABE schemes, we obtain: Β½-XWE for all ππ from LWE [GVW13] Β½-XWE for ππ languages with verification in π πΆ 1 (e.g. SAT) from BDDH [GPSW06] possible trade-off using ABE with short keys [BGG+14] idea: π π π =ππππ¦ ππππ‘β π β generate partial keys for π€ 3 β 0,1 π/3 π
π (β
π€ 2 π€ 3 ) β longer to encrypt (generate keys for exponential-sized predicate) but fewer keys/ciphertexts (with similar size) thus shorter to decrypt BDDH for NC1, LWE for all NP /19
18
non-trivial null-ππ πΆ πΆ correctness: πͺ β‘πͺ,βπͺ
security: πͺβ‘ πͺ β² β πͺ β π πͺ β² πΆ ππ’ππ-ππ ππ πͺβ‘ πͺ β² β‘π trivial construction: test if πΆβ‘0 (e.g. test πΆ π₯ ==0, βπ₯β 0,1 π ): if πΆβ‘0: output π (security) else: output πͺ (correctness) run-time: 2 π β
ππππ¦ π, πΆ BDDH for NC1, LWE for all NP non-trivial: π πΈπ β
ππππ π, πͺ for any πΈ<π we call it πΈ-Xnull-ππΆ /19
19
1/2-Xnull-ππ we obtain π/π-Xnull-ππΆ from πππ in two ways:
compression-preserving transform from WE to null-ππ via lockable obfuscation (LWE) [WZ17,GKW17] βπΈ-XWE + πππβ πΈ-null-ππΆ similar to XWE construction but using predicate encryption (attribute remains hidden if π(π΄)=0): πΈπ π π π πΆ, π₯ 1 ,1 π₯ 1 β 0,1 π/2 π π π π₯ π₯ 2 β 0,1 π/2 with π π₯ 2 πΆ, π₯ 1 =πΆ( π₯ 1 | π₯ 2 ) πΆ π₯ 1 π₯ 2 =1βπ·ππ π π π π₯ 2 ,π π‘ π₯ 1 =1 (correctness) if πΆβ‘0, π π₯ 2 πΆ, π₯ 1 =0, β π₯ 1 , π₯ (security) BDDH for NC1, LWE for all NP /19
20
conclusion and open problems
we construct π/π-XWE and π/π-Xnull-ππΆ from standard assumptions can we bootstrap XWE (resp. Xnull-ππ) to full-fledged WE (resp. null-ππ) like in the case of ππ? can we use XWE or Xnull-ππ to build efficient primitives from standard assumptions? BDDH for NC1, LWE for all NP /19
21
thanks!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.