Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non-Trivial Witness Encryption and Null-

Published bySvein-Erik Sunde Modified over 5 years ago

Similar presentations

Presentation on theme: "Non-Trivial Witness Encryption and Null-"β€” Presentation transcript:

1 Non-Trivial Witness Encryption and Null-𝑖𝑂 from Standard Assumptions
Zvika Brakerski (Weizmann), Aayush Jain (UCLA), Ilan Komargodski (Cornell), Alain PasselΓ¨gue (UCLA β†’ Inria), Daniel Wichs (Northeastern U.) 0’-0’15” bonjour a tous, je suis tres heureux d’etre ici pour vous parler ce projet qui porte sur l’etude des fonctions pseudo-aleatoires. Je suis actuellement en postdoc a UCLA depuis un peu plus d’un an et j’ai fait ma these auparavant a l’ENS

2 motivation I want to know if a certain statement is valid
I am willing to give a reward for the answer I want this reward to remain safe if the statement is invalid e.g. β€œfactoring is in 𝑃” e.g bitcoin proof public prove Riemann, 1000bitcoins β€œstatement” /19

3 witness encryption [GGSW14]
𝐿 an 𝑁𝑃-language induced by a relation 𝑅 𝐿 : 0,1 𝑛 Γ— 0,1 π‘š β†’ 0,1 statement 𝑠 witness 𝑀 if π‘ βˆ‰πΏ 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘š β‰ˆ 𝑐 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘šβ€² keyless no security guarantee regarding π‘š if π‘ βˆˆπΏ definition for NP 𝑀 with 𝑅 𝐿 𝑠,𝑀 =1 if π‘ βˆˆπΏ π‘š /19

4 witness encryption [GGSW14]
if π‘ βˆ‰πΏ 𝐸𝑛𝑐 1 πœ† ,𝑠,π’“π’†π’˜π’‚π’“π’… β‰ˆ 𝑐 𝐸𝑛𝑐 1 πœ† ,𝑠,π’“π’‚π’π’…π’π’Ž reward can be claimed ⇔ the statement is valid definition for NP 𝑀 with 𝑅 𝐿 𝑠,𝑀 =1 if π‘ βˆˆπΏ π‘Ÿπ‘’π‘€π‘Žπ‘Ÿπ‘‘ /19

5 applications [GGSW14,KNY14]
public-key encryption, identity-based encryption attribute-based encryption for 𝑃/π‘π‘œπ‘™π‘¦ secret-sharing for monotone 𝑁𝑃 SS for NP, ... /19

6 state of the art only known from multilinear maps, obfuscation, ...
security of these notions is still very uncertain can we build non-trivial witness encryption from standard assumptions? here is a construction! here is how to break it! [GGH13, CLT13, GGH15, MZ18, ...] [CHL+15, CGH+15, MSZ16, CFL+16, ...] io, mmaps... LWE? /19

7 non-trivial efficiency
non-trivial efficiency first introduced in the context of 𝑖𝑂 [LPST16] 𝐢 correctness: π‘ͺ ≑π‘ͺ security: π‘ͺ≑ π‘ͺ β€² β‡’ π‘ͺ β‰ˆ 𝒄 π‘ͺ β€² 𝑖𝑂 𝐢 trivial: truth-table 𝐢 𝐢( 0 𝑛 ) 𝐢( 1 𝑛 ) … 𝐢 non-trivial IO + LWE => IO 2 𝑛 β‹… π‘œπ‘’π‘‘π‘π‘’π‘‘ = 2 𝑛 β‹…π‘π‘œπ‘™π‘¦ 𝐢 /19

8 importance of non-trivial constructions
non-trivial efficiency first introduced in the context of 𝑖𝑂 [LPST16] 𝐢 correctness: π‘ͺ ≑π‘ͺ security: π‘ͺ≑ π‘ͺ β€² β‡’ π‘ͺ β‰ˆ 𝒄 π‘ͺ β€² 𝑖𝑂 𝐢 non-trivial: 𝐢 𝑋𝑖𝑂 𝐢 non-trivial IO + LWE => IO 𝟐 π’πœΈ β‹…π’‘π’π’π’š π‘ͺ with 𝜸<𝟏 thm: [LPST16] 𝛾-𝑋𝑖𝑂 with 𝛾=Ξ© 1 +LWEβ‡’ full-fledged 𝑖𝑂 used in most 𝑖𝑂 constructions since then [LV16, BNPW16, Lin17, AS17, LT17, Agr18, LM18, AJKS18, ...] /19

9 what is trivial/non-trivial for WE?
𝑅 𝐿 : 0,1 𝑛 Γ— 0,1 π‘š β†’ 0,1 if π‘ βˆ‰πΏ 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘š β‰ˆ 𝑐 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘šβ€² if π‘ βˆˆπΏ 𝑀 with 𝑅 𝐿 𝑠,𝑀 =1 correctness only if π’™βˆˆπ‘³ security only if π’™βˆ‰π‘³ π‘š trivial construction: to encrypt (𝑠,π‘š), check if π‘ βˆˆπΏ (e.g., test 𝑅 𝐿 𝑠,𝑀 ,βˆ€π‘€βˆˆ 0,1 π‘š ) if π’”βˆˆπ‘³: output π’Ž (correctness) else: output βŠ₯ (security) 𝑬𝒏𝒄 run-time = 𝟐 π’Ž β‹…π’‘π’π’π’š(𝝀,𝒏,π’Ž) trivial in 2^m, non trivial? non-trivial: 𝑬𝒏𝒄 run-time = 𝟐 πœΈπ’Ž β‹…π’‘π’π’π’š(𝝀,𝒏,π’Ž) with 𝜸<𝟏 we call it 𝜸-XWE(𝛾-EXponentially efficient Witness Encryption) /19

10 our results we construct 𝟏/𝟐-XWE (run-time 2 π‘š/2 β‹…π‘π‘œπ‘™π‘¦(πœ†,𝑛,π‘š)):
for 𝑡𝑷 from 𝐋𝐖𝐄 for 𝑡𝑷 languages with 𝑡 π‘ͺ 𝟏 verification from 𝐁𝐃𝐃𝐇 we construct 𝟏/𝟐-Xnull-π’Šπ‘Ά from 𝐋𝐖𝐄 efficiency trade-off for XWE from LWE this talk XWE, XNiO /19

11 attribute-based encryption
public attribute private message 𝐸𝑛 𝑐 π‘ π‘˜ 𝐴,π‘š can delegate partial decryption keys 𝑠 π‘˜ 𝑃 technical slides predicate /19

12 attribute-based encryption
public attribute private message if 𝑃 𝐴 =0 𝐸𝑛 𝑐 π‘ π‘˜ 𝐴,π‘š 𝐸𝑛 𝑐 π‘ π‘˜ 𝐴,π‘š β‰ˆ 𝑐 𝐸𝑛 𝑐 π‘ π‘˜ 𝐴,π‘šβ€² can delegate partial decryption keys 𝑠 π‘˜ 𝑃 𝑠 π‘˜ 𝑃 technical slides if 𝑃 𝐴 =1 predicate π‘š /19

13 Β½-XWE from ABE 𝐿 an 𝑁𝑃-language induced by a relation 𝑹 𝑳 : 𝟎,𝟏 𝒏 Γ— 𝟎,𝟏 π’Ž β†’ 𝟎,𝟏 π’”βˆˆπ‘³β‡”βˆƒπ’˜βˆˆ 𝟎,𝟏 π’Ž 𝒔.𝒕. 𝑹 𝑳 𝒔,π’˜ =𝟏 for any fixed statement π‘ βˆˆ 0,1 𝑛 , consider the circuit 𝑹 𝒔 ≔ 𝑹 𝑳 𝒔,β‹… 𝑹 𝒔 : 𝟎,𝟏 π’Ž/𝟐 Γ— 𝟎,𝟏 π’Ž/𝟐 β†’{𝟎,𝟏} 𝑹 𝒔 : 𝟎,𝟏 π’Ž β†’{𝟎,𝟏} 𝑀 1 technical slides 𝑀 2 𝑅 𝑠 ( 𝑀 1 || 𝑀 2 ) 𝑅 𝑠 𝑀 𝑀 2 π‘š/2 2 π‘š/2 /19

14 Β½-XWE from ABE 𝐿 an 𝑁𝑃-language induced by a relation 𝑹 𝑳 : 𝟎,𝟏 𝒏 Γ— 𝟎,𝟏 π’Ž β†’ 𝟎,𝟏 π’”βˆˆπ‘³β‡”βˆƒπ’˜βˆˆ 𝟎,𝟏 π’Ž 𝒔.𝒕. 𝑹 𝑳 𝒔,π’˜ =𝟏 for any fixed statement π‘ βˆˆ 0,1 𝑛 , consider the circuit 𝑹 𝒔 ≔𝑹 𝒔,β‹… how to encrypt (𝒔,π’Ž) for a fixed statement 𝑠? 𝑹 𝒔 : 𝟎,𝟏 π’Ž/𝟐 Γ— 𝟎,𝟏 π’Ž/𝟐 β†’{𝟎,𝟏} 𝑬𝒏 𝒄 π’”π’Œ ( π’˜ 𝟏 ,π’Ž) 𝑀 1 technical slides π’”π’Œ 𝑹 𝒔 (β‹…| π’˜ 𝟐 ) 𝑀 2 𝑅 𝑠 ( 𝑀 1 || 𝑀 2 ) 𝑅 𝑠 𝑀 𝑀 2 π‘š/2 2 π‘š/2 /19

15 Β½-XWE from ABE 𝑅 𝑠 𝑀 𝑀 𝑹 𝒔 : 𝟎,𝟏 π’Ž/𝟐 Γ— 𝟎,𝟏 π’Ž/𝟐 β†’{𝟎,𝟏}
𝑹 𝒔 : 𝟎,𝟏 π’Ž/𝟐 Γ— 𝟎,𝟏 π’Ž/𝟐 β†’{𝟎,𝟏} how to encrypt (𝒔,π’Ž) for a fixed statement 𝑠? correctness: π’”βˆˆπ‘³β‡”βˆƒπ’˜= π’˜ 𝟏 | π’˜ 𝟐 𝒔.𝒕. 𝑹 𝒔 π’˜ 𝟏 | π’˜ 𝟐 =𝟏 security: π’”βˆ‰π‘³β‡”βˆ€π’˜= π’˜ 𝟏 | π’˜ 𝟐 , 𝑹 𝒔 π’˜ 𝟏 | π’˜ 𝟐 =𝟎 𝑬𝒏 𝒄 π’”π’Œ ( π’˜ 𝟏 ,π’Ž) 𝑅 𝑠 𝑀 𝑀 2 π‘š/2 𝑬𝒏 𝒄 π’”π’Œ ( π’˜ 𝟏 ,π’Ž) π’”π’Œ 𝑹 𝒔 (β‹…| π’˜ 𝟐 ) β‰ˆ 𝒄 𝑬𝒏 𝒄 π’”π’Œ ( π’˜ 𝟏 ,π’Žβ€²) π’”π’Œ 𝑹 𝒔 (β‹…| π’˜ 𝟐 ) technical slides π’Ž π’”π’Œ 𝑹 𝒔 (β‹…| π’˜ 𝟐 ) /19

16 Β½-XWE from ABE 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘š is formed of:
𝐿 an 𝑁𝑃-language induced by a relation 𝑅: 0,1 𝑛 Γ— 0,1 π‘š β†’ 0,1 𝐸𝑛𝑐 1 πœ† ,𝑠,π‘š is formed of: 𝟐 π’Ž/𝟐 ABE ciphertexts 𝐸𝑛 𝑐 π‘ π‘˜ 𝑀 1 ,π‘š 𝑀 1 ∈ 0,1 π‘š/2 𝟐 π’Ž/𝟐 ABE partial keys 𝑠 π‘˜ 𝑅 𝑠 (β‹…| 𝑀 2 ) 𝑀 2 ∈ 0,1 π‘š/2 each ciphertext/partial key can be generated in time π‘π‘œπ‘™π‘¦(πœ†,𝑛,π‘š) overall run-time: 𝟐 π’Ž/𝟐 β‹…π’‘π’π’π’š 𝝀,𝒏,π’Ž β‡’πŸ/𝟐-XWE ABE requirement: can generate keys for predicates 𝑹 𝒔 β‹… π’˜ 𝟐 technical slides /19

17 instantiations from standard assumptions
instantiated with known ABE schemes, we obtain: Β½-XWE for all 𝑁𝑃 from LWE [GVW13] Β½-XWE for 𝑁𝑃 languages with verification in 𝑁 𝐢 1 (e.g. SAT) from BDDH [GPSW06] possible trade-off using ABE with short keys [BGG+14] idea: 𝑠 π‘˜ 𝑃 =π‘π‘œπ‘™π‘¦ π‘‘π‘’π‘π‘‘β„Ž 𝑃 β‡’ generate partial keys for 𝑀 3 ∈ 0,1 π‘š/3 𝑅 𝑠 (β‹… 𝑀 2 𝑀 3 ) β‡’ longer to encrypt (generate keys for exponential-sized predicate) but fewer keys/ciphertexts (with similar size) thus shorter to decrypt BDDH for NC1, LWE for all NP /19

18 non-trivial null-𝑖𝑂 𝐢 𝐢 correctness: π‘ͺ ≑π‘ͺ,βˆ€π‘ͺ
security: π‘ͺ≑ π‘ͺ β€² β‡’ π‘ͺ β‰ˆ 𝒄 π‘ͺ β€² 𝐢 𝑛𝑒𝑙𝑙-𝑖𝑂 𝑖𝑂 π‘ͺ≑ π‘ͺ β€² β‰‘πŸŽ trivial construction: test if 𝐢≑0 (e.g. test 𝐢 π‘₯ ==0, βˆ€π‘₯∈ 0,1 𝑛 ): if 𝐢≑0: output 𝟎 (security) else: output π‘ͺ (correctness) run-time: 2 𝑛 β‹…π‘π‘œπ‘™π‘¦ πœ†, 𝐢 BDDH for NC1, LWE for all NP non-trivial: 𝟐 πœΈπ’ β‹…π’‘π’π’π’š 𝝀, π‘ͺ for any 𝜸<𝟏 we call it 𝜸-Xnull-π’Šπ‘Ά /19

19 1/2-Xnull-𝑖𝑂 we obtain 𝟏/𝟐-Xnull-π’Šπ‘Ά from 𝐋𝐖𝐄 in two ways:
compression-preserving transform from WE to null-𝑖𝑂 via lockable obfuscation (LWE) [WZ17,GKW17] β‡’πœΈ-XWE + 𝐋𝐖𝐄⇒ 𝜸-null-π’Šπ‘Ά similar to XWE construction but using predicate encryption (attribute remains hidden if 𝑃(𝐴)=0): 𝐸𝑛 𝑐 π‘ π‘˜ 𝐢, π‘₯ 1 ,1 π‘₯ 1 ∈ 0,1 𝑛/2 𝑠 π‘˜ π‘ˆ π‘₯ π‘₯ 2 ∈ 0,1 𝑛/2 with π‘ˆ π‘₯ 2 𝐢, π‘₯ 1 =𝐢( π‘₯ 1 | π‘₯ 2 ) 𝐢 π‘₯ 1 π‘₯ 2 =1⇒𝐷𝑒𝑐 𝑠 π‘˜ π‘ˆ π‘₯ 2 ,𝑐 𝑑 π‘₯ 1 =1 (correctness) if 𝐢≑0, π‘ˆ π‘₯ 2 𝐢, π‘₯ 1 =0, βˆ€ π‘₯ 1 , π‘₯ (security) BDDH for NC1, LWE for all NP /19

20 conclusion and open problems
we construct 𝟏/𝟐-XWE and 𝟏/𝟐-Xnull-π’Šπ‘Ά from standard assumptions can we bootstrap XWE (resp. Xnull-𝑖𝑂) to full-fledged WE (resp. null-𝑖𝑂) like in the case of 𝑖𝑂? can we use XWE or Xnull-𝑖𝑂 to build efficient primitives from standard assumptions? BDDH for NC1, LWE for all NP /19

21 thanks!

Download ppt "Non-Trivial Witness Encryption and Null-"

Similar presentations

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.

Lower Bounds for Non-Black-Box Zero Knowledge Boaz Barak (IAS*) Yehuda Lindell (IBM) Salil Vadhan (Harvard) *Work done while in Weizmann Institute. Short.
Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.

Its Not The Assumption, Its The Reduction GMfest13c Assumptions Panel Presentation Ran Canetti.
Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
Truth Trees Intermediate Logic.

Truth Trees Intermediate Logic.
1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.

1 Adaptive Witness Encryption and Asymmetric Password-based Cryptography PKC 2015 March 31, 2015 Mihir Bellare UC San Diego Viet Tung Hoang University.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.

1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.
Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results.

Shai Halevi – IBM Research PKC 2014 Multilinear Maps and Obfuscation A Survey of Recent Results.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel HubÑček.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel HubÑček.
Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.

Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.
Lower Bounds on Assumptions behind Indistinguishability Obfuscation

Lower Bounds on Assumptions behind Indistinguishability Obfuscation
Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.
Tae-Joon Kim Jong yun Jun

Tae-Joon Kim Jong yun Jun

Similar presentations

Ads by Google