Multi-input Functional Encryption

Goldwasser, Shafi; Gordon, Steven; Goyal, Vipul; Jain, Abhishek; Katz, Jonathan; Liu, Feng-Hao; Sahai, Amit; Shi, Elaine; Zhou, Hong-Sheng

doi:10.1007/978-3-642-55220-5_32

Cited by 229 publications

(149 citation statements)

References 18 publications

Supporting

Mentioning

149

Contrasting

Order By: Relevance

“…In independent and concurrent work, Carter et al [3] introduce a third party to generate garbled circuits for such schemes but require this entity to be online throughout and model the system as a secure multi-party computation between the client, server and thirdparty. Some works [7,4] consider the multi-client case where functions are computed over joint input from multiple clients. Parno et al [10] introduced Publicly Verifiable Computation (PVC), where a single client C 1 computes EK F , as well as publishing information P K F that enables other clients to encode inputs (so only one client has to run the expensive pre-processing stage).…”

Section: Verifiable Computation Schemes and Related Workmentioning

confidence: 99%

Revocation in Publicly Verifiable Outsourced Computation

Alderman

Janson

Cid

et al. 2015

Information Security and Cryptology

View full text Add to dashboard Cite

Abstract. The combination of software-as-a-service and the increasing use of mobile devices gives rise to a considerable difference in computational power between servers and clients. Thus, there is a desire for clients to outsource the evaluation of complex functions to an external server. Servers providing such a service may be rewarded per computation, and as such have an incentive to cheat by returning garbage rather than devoting resources and time to compute a valid result. In this work, we introduce the notion of Revocable Publicly Verifiable Computation (RPVC), where a cheating server is revoked and may not perform future computations (thus incurring a financial penalty). We introduce a Key Distribution Center (KDC) to efficiently handle the generation and distribution of the keys required to support RPVC. The KDC is an authority over entities in the system and enables revocation. We also introduce a notion of blind verification such that results are verifiable (and hence servers can be rewarded or punished) without learning the value. We present a rigorous definitional framework, define a number of new security models and present a construction of such a scheme built upon Key-Policy Attribute-based Encryption.

show abstract

Section: Verifiable Computation Schemes and Related Workmentioning

confidence: 99%

Revocation in Publicly Verifiable Outsourced Computation

Alderman

Janson

Cid

et al. 2015

Information Security and Cryptology

View full text Add to dashboard Cite

show abstract

“…We define a new 2-inputs functional encryption scheme CRFE[eO, FS] = (Setup, KeyGen, Enc, Eval) for functionality TM 2 as follows 11 -Setup(1 λ ): chooses a pair (msk, vk) ← FS.Setup(1 λ ) and generates a key sk 1 ← FS.KeyGen(msk, 1) that allows signing all messages (i.e., for the always-accepting predicate 1(T ) = T ∀ T ). It sets Ek 1 = Ek 2 = vk and outputs Mpk = Ek 1 and Msk = (sk 1 , vk).…”

Section: Definition 7 [Eo-based Transformation]mentioning

confidence: 99%

“…Recall that a Multi-Input FE (MI-FE) scheme [11][12][13] is a FE over multiple ciphertexts. Let our starting scheme 2 Specifically, in our main transformation the size of the tokens is constant if we employ a collision-resistant hash function of variable-length, otherwise their size only depends on the encoding of the value and thus can be sub-logarithmic.…”

Section: Introductionmentioning

confidence: 99%

“…Indeed, in this case one needs to assume that such users trust each other, and thus they will tag the ciphertexts and tokens with the correct timestamp. 7 The main focus of the work of Goldwasser et al [13] is for the circuit model but they sketch how to extend it to the Turing Machine model. Similar considerations hold for the schemes of Gordon et al [12].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

View full text Add to dashboard Cite

Abstract. One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by where it was first shown that for FE the indistinguishabilitybased (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the abovementioned works and others [e.g., Agrawal et al. -CRYPTO'13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:-In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constantsize, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., have ciphertexts and tokens of size growing as the number of queries. -In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries. Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation (and other standard primitives) secure only in the standard model.

show abstract

“…For example, it amounts to best possible obfuscation [GR07], in the sense that anything that can be hidden by some obfuscator will be hidden by every indistinguishability obfuscator. Subsequent to [GGH + 13], a flood of results have appeared showing that indistinguishability obfuscation suffices for many applications, such as the construction of public-key encryption from private-key encryption, the existence of deniable encryption, the existence of multi-input functional encryption, and more [SW13, GGH + 13, HSW13,GGJS13].…”

Section: Introductionmentioning

confidence: 99%

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Bitansky

Canetti

Cohn

et al. 2014

Advances in Cryptology – CRYPTO 2014

Self Cite

View full text Add to dashboard Cite

In this paper we show that the existence of general indistinguishability obfuscators conjectured in a few recent works implies, somewhat counterintuitively, strong impossibility results for virtual black box obfuscation. In particular, we show that indistinguishability obfuscation for all circuits implies:• The impossibility of average-case virtual black box obfuscation with auxiliary input for any circuit family with super-polynomial pseudo-entropy. Such circuit families include all pseudo-random function families, and all families of encryption algorithms and randomized digital signatures that generate their required coin flips pseudo-randomly. Impossibility holds even when the auxiliary input depends only on the public circuit family, and not the specific circuit in the family being obfuscated.• The impossibility of average-case virtual black box obfuscation with a universal simulator (with or without any auxiliary input) for any circuit family with super-polynomial pseudo-entropy.These bounds significantly strengthen the impossibility results of Goldwasser and Kalai (STOC 2005). * Tel Aviv University, nirbitan@tau.ac.il.

show abstract

Multi-input Functional Encryption

Cited by 229 publications

References 18 publications

Revocation in Publicly Verifiable Outsourced Computation

Revocation in Publicly Verifiable Outsourced Computation

Simulation-Based Secure Functional Encryption in the Random Oracle Model

The Impossibility of Obfuscation with Auxiliary Input or a Universal Simulator

Contact Info

Product

Resources

About