On Extractability Obfuscation

Boyle, Elette; Chung, Kai-Min; Pass, Rafael

doi:10.1007/978-3-642-54242-8_3

Cited by 127 publications

(77 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Boyl et al [14] defined obfuscators secure against general distributional auxiliary input. We recall their definition (cf.…”

Section: Extractability Obfuscation Wrt Distributional Auxiliary Imentioning

confidence: 99%

“…In Section 4 we will show how to construct a CRIND-Secure MI-FE from extractability obfuscation w.r.t. distributional auxiliary input [14] (cf. Remark 3).…”

Section: Extractability Obfuscation Wrt Distributional Auxiliary Imentioning

confidence: 99%

“…In order to achieve CRIND-security of MI-FE (as defined in Section 2.1), we make use of the following ideas inspired by the construction of fully IND-Secure FE of Boyle et al [14]. We assume a functional signature scheme FS [21].…”

Section: Constructions Of Crind-secure Mi-fe From Eomentioning

confidence: 99%

See 2 more Smart Citations

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

View full text Add to dashboard Cite

Abstract. One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by where it was first shown that for FE the indistinguishabilitybased (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the abovementioned works and others [e.g., Agrawal et al. -CRYPTO'13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:-In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constantsize, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., have ciphertexts and tokens of size growing as the number of queries. -In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries. Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation (and other standard primitives) secure only in the standard model.

show abstract

“…Boyl et al [14] defined obfuscators secure against general distributional auxiliary input. We recall their definition (cf.…”

Section: Extractability Obfuscation Wrt Distributional Auxiliary Imentioning

confidence: 99%

“…In Section 4 we will show how to construct a CRIND-Secure MI-FE from extractability obfuscation w.r.t. distributional auxiliary input [14] (cf. Remark 3).…”

Section: Extractability Obfuscation Wrt Distributional Auxiliary Imentioning

confidence: 99%

See 1 more Smart Citation

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

View full text Add to dashboard Cite

show abstract

“…Next we show show how to transform any "IND-secure" FE scheme for general circuits (i.e., where its functionality F computes general boolean circuits on some input length) into a FE for the same functionality that is (n c , poly)-receiver-deniable in the full model (but where the receiver gets assistance from the master authority to equivocate) without introducing any additional assumption. In particular, recent works [19,13,34,21] show IND-secure FE for general circuits whose security is based either on indistinguishable obfuscation and its variants or polynomial hardness of simple assumptions on multi-linear maps. We can use any of these schemes in our construction.…”

Section: Introductionmentioning

confidence: 99%

“…Namely, a ciphertext of the functional encryption scheme for x corresponds to a double encryption, a la Naor-Yung [28], of x, using a statistical simulation-soundness NIZK. A secret key for circuit C is the differing-input obfuscation [4,2,13] of a trapdoor circuit Trap[C] that takes in input the double encryption of x and the double encryption of the trapdoor values related to Trap [C]. Intuitively, differing-input obfuscation is required because there are certain Ct that allows to understand, for example, which secret key Trap[C] is using to decrypt the double encryption of x.…”

Section: Introductionmentioning

confidence: 99%

Deniable Functional Encryption

Caro

Iovino²,

O’Neill

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that "open" the communication to a different message. Here we initiate its study for the more general case of functional encryption (FE), as introduced by Boneh et al. (TCC 2011), wherein a receiver in possession of a key k can compute from any encryption of a message x the value F (k, x) according to the scheme's functionality F . Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are "normal" and "deniable" secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the "multidistributional" model of deniability previously considered for public-key encryption. In the first model, we show that any FE scheme for the general circuit functionality (as several recent candidate construction achieve) can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption. Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results.

show abstract