projective arithmetic functional encryption
play

Projective Arithmetic Functional Encryption and - PowerPoint PPT Presentation

Sep 30, 2022 •240 likes •649 views

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

  1. Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai

  2. Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13, BR14, BGKPS14, PST14, AGIS14, …, AB15, Zim15, GLSW15, GMMSZ16, Lin16a, LV16, Lin16b, …] Multilinear maps: generalization of bilinear maps • Degree-D multilinear maps: can compute degree-D • polynomials in the exponents of the group

  3. What is the minimum degree of multilinear maps required to construct iO? Ideal Goal: 2 large poly(k) 32 constant [LV’16] [Lin’16] Original works [GGHRSW’13, BGKPS’14, …]: • degree = polynomial in security parameter Lin’16: degree = constant • LV’16: degree = 32 •

  4. This Work iO from degree- 5 multinear maps Ideal Goal: 2 5 32 large poly(k,|C|) [LV’16] constant [Lin’16] A new template to construct iO from constant degree multilinear maps

  5. Prior Works [Lin’16,LV’16] Collusion-Resistant Constant Degree Functional Encryption iO Mmaps for boolean circuits

  6. Prior Works [Lin’16,LV’16] Collusion-Resistant Constant Degree Functional Encryption iO Mmaps for boolean circuits MMap computations performed over large fields - To construct FE from mmaps: need to “arithmetize” the boolean circuits -

  7. Our Template Projective Arithmetic Constant Degree FE iO Mmaps for arithmetic circuits PAFE is a version of functional encryption for arithmetic circuits -

  8. Our Template (in detail) Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- D randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  9. Instantiation iO Projective Arithmetic from Degree- 5 FE for degree-5 Multilinear maps multilinear Degree- 5 (subexp. secure) maps! polynomials (subexp. secure) + degree- 5 randomizing polynomials (assumes degree-5 PRGs (Secret Key) [BNPW16, LPST15, AJ15, BV15] with poly stretch) Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  10. Instantiation iO Projective Arithmetic from Degree- 5 FE for degree-5 Multilinear maps multilinear Degree- 5 (subexp. secure) maps! polynomials (subexp. secure) + CONCURRENT WORK: degree- 5 Lin’17 built iO assuming randomizing joint SXDH on degree-5 mmaps polynomials (assumes degree-5 PRGs (Secret Key) [BNPW16, LPST15, AJ15, BV15] with poly stretch) Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  11. Technical Overview

  12. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  13. Projective Arithmetic FE (PAFE) • FIRST ATTEMPT: Same syntax as FE for boolean circuits except that functional keys issued for polynomials (over large fields) Encryption of x + Key of polynomial p := p ( x ) ISSUE: Current techniques are a limiting factor ! If p(x) is large, we don’t know how to construct this notion - Reason: Decryption in existing FE schemes yields Encoding(p(x)) - and can decode only if p(x) is small

  14. Projective Arithmetic FE (PAFE) p 1 p 2 p 3 Key Generation x sk p1 sk p2 sk p3 Encryption + + + … Enc(x) Projective Decrypt ENCODINGS: p 1 (x) p 2 (x) p 3 (x) Can recover linear function of (p 1 (x),p 2 (x),p 3 (x),…) if output of linear function is “small”

  15. Efficiency • Linear Overhead: • Size of encryption of y := |y| poly(k,D) D - degree of polynomials Security • Semi-functional security: • Inspired by ABE literature [ Wat09,LOS+10,…,GGHZ14 ] • Captures a weak form of function hiding

  16. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- D randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  17. Sub-linear (Secret Key) FE for Boolean circuits SUB-LINEARITY |Enc(x)| = |C| e poly(k,|x|) ; e <1

  18. Randomizing Polynomials C Encode … p N p 1 p 2 … + + + (x, r ) … … Decode + + = C(x) p 1 (x,r) p 2 (x,r) p N (x,r) If all p i is of degree D then it is a degree-D randomizing polynomial

  19. Construction of Sub-linear FE Key Generation of C: C Randomizing Polynomial of C … p N p 1 p 2 PAFE key generation of p 1 ,…,p N … sk pN sk p1 sk p2 Functional key of C = (sk p1 , … , sk pN )

  20. Construction of Sub-linear FE C Key Generation of C: … p N p 1 p 2 … sk pN sk p1 sk p2 Encryption of x: x (x, r ) r

  21. Construction of Sub-linear FE C Key Generation of C: … p N p 1 p 2 SUB-LINEARITY PROPERTY of randomizing polynomials: … sk pN sk p1 sk p2 |r| is sublinear in the length of circuit description Encryption of x: x (x, r ) r

  22. Construction of Sub-linear FE Decryption (INTUITION) : Execute PAFE ProjectiveDecrypt - Execute Recover to obtain encoding of (C,x) - Execute the decoding procedure -

  23. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Compress randomness using PRGs! - Use degree 5 PRGs - (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  24. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Goldreich PRG candidate: Analysed by O’Donnell and Witmer'14 Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Compress randomness using PRGs! - Use degree 5 PRGs - (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  25. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Degree-5 randomizing polynomials: Compress randomness using PRGs! - We use pre-processing trick! Use degree 5 PRGs - (pre-compute some partial terms ahead of time) (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  26. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  27. Slotted Encodings An abstraction of composite order multi-linear maps Encoding of (a,b,c) w.r.t color: a b c + = Addition w.r.t same color: a 1 +a 2 b 1 +b 2 c 1 +c 2 a 1 b 1 c 1 a 2 b 2 c 2 Multiplication w.r.t = a 1* a 2 a 1 b 1 c 1 a 2 b 2 c 2 b 1* b 2 c 1* c 2 * “compatible” colors: Zero Test w.r.t is ZERO if and only if a+b+c=0 a b c color red:

  28. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 a 1 b 1 c 1 a 2 b 2 c 2 ,

  29. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u 1 , u 2 , u 3 , v 1 , v 2 , v 3 a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , such that < u i , v j > = 1, if i=j = 0, otherwise

  30. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u 1 , u 2 , u 3 , v 1 , v 2 , v 3 a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , Dual vector spaces! [OT08,OT09,BJK15] such that < u i , v j > = 1, if i=j = 0, otherwise

  31. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 < > , a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 = a 1 a 2 + b 1 b 2 + c 1 c 2

  32. Degree-D Slotted Encodings from Degree-D Prime order mmap Higher (constant) degrees: tensoring of dual vector spaces Example: Degree=3 < > , a 1 w 1 u 1 + b 1 w 2 u 2 + c 1 w 3 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , … = a 1 a 2 w 1 + b 1 b 2 w 2 + c 1 c 2 w 3

  33. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: p , 0 p(R 1 ,…,R n ) 0 WHY IS IT SECURE? p(R 1 ,…,R n ) in second slot “forces” homomorphic evaluation of p on ciphertext encodings

  34. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: p , 0 p(R 1 ,…,R n ) 0 MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

  35. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: Prevented by having p , 0 p(R 1 ,…,R n ) “ciphertext-specific" checks! 0 MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional Encryption f g h KeyGen PK SK SK f PK f(x) Dec SK g x g(x) Enc Dec Ciphertext SK h h(x) Dec Index-Payload Functions Message x=(

166 views • 13 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Multi-input Inner-Product Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana Raykova, Yale University Hoeteck Wee, CNRS and ENS Functional Encryption [Boneh, Sahai, Waters 11] m Alice Functional

585 views • 40 slides
Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019 Functional Encryption for Set Operations n evaluate i = 1 S i S 1 S 2 S n

707 views • 32 slides
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner

970 views • 51 slides
Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents Introduction Functional Encryption Security definitions Notations The Power of Inner Products Descriptive statistics Machine Learning Practical

930 views • 65 slides
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim , Miran Kim , Yongsoo Song Seoul National University University of

601 views • 29 slides
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim , Miran Kim , Yongsoo Song Seoul National University University of

871 views • 22 slides
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal David J. Wu Public-Key Functional Encryption [BSW11, ON10] () Keys are associated with deterministic functions sk

1.47k views • 99 slides
Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu

Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu

Introduction Herbrand Dialectica interpretation Unifying functional interpretations Discussion and summary Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu Ludwig-Maximilians-Universit at M unchen

571 views • 18 slides
Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp;

Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp;

Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp; Computer Engineering University of Massachusetts, Amherst ciesiel@ecs.umass.edu Outline Introduction Hardware verification methods, focus on

1.02k views • 82 slides
Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov Gil Segev Hebrew University This Talk A framework for proving impossibility results for commonly-used non-black-box techniques Limits on

596 views • 22 slides
Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse, Angelo De Caro, and David Pointcheval ENS, CNRS, INRIA, and PSL, 45 Rue dUlm, 75230 Paris Cedex 05, France {

535 views • 19 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De

Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De

Overview of the results The Framework Work in progress Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Ecole normale sup erieure, CNRS, INRIA, PSL, Paris,

866 views • 71 slides
Counting points on projective hypersurfaces David Harvey New York University 19th October 2010

Counting points on projective hypersurfaces David Harvey New York University 19th October 2010

Counting points on projective hypersurfaces David Harvey New York University 19th October 2010 Workshop on Elliptic Curve Computation Microsoft Research, Redmond, Washington, USA David Harvey Counting points on projective hypersurfaces

524 views • 28 slides
Finite Projective Planes http://math.uwyo.edu/moorhouse/pub/planes/ Eric Moorhouse Mutually

Finite Projective Planes http://math.uwyo.edu/moorhouse/pub/planes/ Eric Moorhouse Mutually

Finite Projective Planes http://math.uwyo.edu/moorhouse/pub/planes/ Eric Moorhouse Mutually Unbiased Bases Mutually Unbiased Bases Mutually Unbiased Bases Mutually Unbiased Bases Mutually Unbiased Bases Mutually Unbiased Bases In order to

884 views • 50 slides
4. How to Submit a Proposal Using EasyGrants - Q &amp; A 2 Assess Conservation Needs and

4. How to Submit a Proposal Using EasyGrants - Q &amp; A 2 Assess Conservation Needs and

1. Webinar Instructions 2. Overview of Chesapeake Bay Stewardship Fund 3. Review of 2017 Chesapeake Bay Technical Capacity Program - Q &amp; A 4. How to Submit a Proposal Using EasyGrants - Q &amp; A 2 Assess Conservation Needs and

658 views • 33 slides
The project financing legal structure Project finance funding

The project financing legal structure Project finance funding

1 The project financing legal structure Project finance funding projects successfully E. (Emile) T.M. Peters 2 Project finance objec-ves: Separate project

476 views • 6 slides
Numerical Optimization Shan-Hung Wu shwu@cs.nthu.edu.tw Department of Computer Science,

Numerical Optimization Shan-Hung Wu shwu@cs.nthu.edu.tw Department of Computer Science,

Numerical Optimization Shan-Hung Wu shwu@cs.nthu.edu.tw Department of Computer Science, National Tsing Hua University, Taiwan Machine Learning Shan-Hung Wu (CS, NTHU) Numerical Optimization Machine Learning 1 / 74 Outline Numerical

2.04k views • 188 slides
Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use

Recall: Indexing into Cube Map Compute R = 2( N V ) N V Object at origin V Use largest magnitude component R of R to determine face of cube Other 2 components give texture coordinates 1 Cube Map Layout Example R = (

833 views • 40 slides
A Survey of Parallelism in Solving Numerical Optimization and Operations Research Problems

A Survey of Parallelism in Solving Numerical Optimization and Operations Research Problems

A Survey of Parallelism in Solving Numerical Optimization and Operations Research Problems Jonathan Eckstein Rutgers University, Piscataway, NJ, US A (formerly of Thinking Machines Corporation) (also consultant for S andia National

424 views • 27 slides
Projections and Viewing Transformations Graphics &amp; Visualization: Principles &amp; Algorithms

Projections and Viewing Transformations Graphics &amp; Visualization: Principles &amp; Algorithms

Graphics &amp; Visualization Chapter 4 Projections and Viewing Transformations Graphics &amp; Visualization: Principles &amp; Algorithms Chapter 4 Introduction In computer graphics there are: 3D models 2D

477 views • 44 slides

More recommend