On the Achievability of Simulation-Based Security for Functional Encryption

De, Angelo; Iovino, Vincenzo; Jain, Abhishek; O’Neill, Adam; Paneth, Omer; Persiano, Giuseppe

doi:10.1007/978-3-642-40084-1_29

Cited by 75 publications

(38 citation statements)

References 26 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Anyway, one could object that if we instantiate the RO with any concrete hash function, the resulting scheme is not "SIM-Secure" due to the impossibility results. This problem is also shared with the constructions for the RO model of De Caro et al [8] and Boneh et al [1]. What does it mean?…”

Section: Introductionmentioning

confidence: 94%

“…-Validity. We say that an adversary A in the above game is valid with respect to a checker Checker with efficient checkability if during the execution of the above game, A outputs challenge messages x 0 and x 1 of the same length and asks a set of queries K in the key space of 8 It can appear that the definition be not well-defined because we do not specify how the key k is related to the security parameter. To understand this, you may imagine that k be the code of some algorithm P (ant thus of constant-size) to compute a keyed hash function Hash(·, ·).…”

Section: Collision-resistant Indistinguishability Security For Mi-fementioning

confidence: 99%

“…On the positive direction, Boneh et al [1] showed the existence of SIM-Secure FE schemes in the Random Oracle (RO, in short) [7] model for restricted functionalities (i.e., Attribute-based Encryption), and at the same time they left as a challenging problem the construction of FE for more sophisticated functionalities that satisfy SIMSecurity in the RO model. More recently, De Caro et al [8] showed how to overcome all known impossibility results assuming the existence of INDSecure schemes for circuits with random oracle gates. This is a very strong assumption for which we do not know any candidate scheme and their existence seems unlikely.…”

Section: Introductionmentioning

confidence: 99%

“…Thus, in a standard FE scheme the functionality is fixed in advance, and the scheme should allow to compute over encrypted data accordingly to this functionality. Instead, in the scheme for the RO model of De Caro et al [8], the functionality does depend on the RO, and thus, even their implicit definition of functionality and FE scheme is not standard. Therefore, their scheme is not satisfactory.…”

Section: Introductionmentioning

confidence: 99%

“…We recall (a simplified version of) the transformation of De Caro et al [8] to bootstrap an IND-Secure scheme for Boolean circuits to a SIM-Secure scheme for the same functionality. For sake of simplicity we focus on the non-adaptive setting, specifically on SIMSecurity against adversaries asking q non-adaptive queries.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

Self Cite

View full text Add to dashboard Cite

Abstract. One of the main lines of research in functional encryption (FE) has consisted in studying the security notions for FE and their achievability. This study was initiated by where it was first shown that for FE the indistinguishabilitybased (IND) security notion is not sufficient in the sense that there are FE schemes that are provably IND-Secure but concretely insecure. For this reason, researchers investigated the achievability of Simulation-based (SIM) security, a stronger notion of security. Unfortunately, the abovementioned works and others [e.g., Agrawal et al. -CRYPTO'13] have shown strong impossibility results for SIM-Security. One way to overcome these impossibility results was first suggested in the work of Boneh et al. where it was shown how to construct, in the Random Oracle (RO) model, SIM-Secure FE for restricted functionalities and was asked the generalization to more complex functionalities as a challenging problem in the area. Subsequently, proposed a candidate construction of SIM-Secure FE for all circuits in the RO model assuming the existence of an IND-Secure FE scheme for circuits with RO gates. To our knowledge there are no proposed candidate IND-Secure FE schemes for circuits with RO gates and they seem unlikely to exist. We propose the first constructions of SIM-Secure FE schemes in the RO model that overcome the current impossibility results in different settings. We can do that because we resort to the two following models:-In the public-key setting we assume a bound on the number of queries but this bound only affects the running-times of our encryption and decryption procedures. We stress that our FE schemes in this model are SIM-Secure and have ciphertexts and tokens of constantsize, whereas in the standard model, the current SIM-Secure FE schemes for general functionalities [De Caro et al., have ciphertexts and tokens of size growing as the number of queries. -In the symmetric-key setting we assume a timestamp on both ciphertexts and tokens. In this model, we provide FE schemes with short ciphertexts and tokens that are SIM-Secure against adversaries asking an unbounded number of queries. Both results also assume the RO model, but not functionalities with RO gates and rely on extractability obfuscation (and other standard primitives) secure only in the standard model.

show abstract

Section: Introductionmentioning

confidence: 94%

Section: Collision-resistant Indistinguishability Security For Mi-fementioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Iovino

Żebroski

2015

Progress in Cryptology -- LATINCRYPT 2015

Self Cite

View full text Add to dashboard Cite

show abstract

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Datta

Okamoto

Takashima

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Practical Fully Secure Unrestricted Inner Product Functional Encryption Modulo p

Castagnos

Laguillaumie

Tucker

2018

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Functional encryption is a modern public-key cryptographic primitive allowing an encryptor to finely control the information revealed to recipients from a given ciphertext. Abdalla, Bourse, De Caro, and Pointcheval (PKC 2015) were the first to consider functional encryption restricted to the class of linear functions, i.e. inner products. Though their schemes are only secure in the selective model, Agrawal, Libert, and Stehlé (CRYPTO 16) soon provided adaptively secure schemes for the same functionality. These constructions, which rely on standard assumptions such as the Decision Diffie-Hellman (DDH), the Learning-with-Errors (LWE), and Paillier's Decision Composite Residuosity (DCR) problems, do however suffer of various practical drawbacks. Namely, the DCR based scheme only computes inner products modulo an RSA integer which is oversized for many practical applications, while the computation of inner products modulo a prime p either requires, for their (DDH) based scheme, that the inner product be contained in a sufficiently small interval for decryption to be efficient, or, as in the LWE based scheme, suffers of poor efficiency due to impractical parameters. In this paper, we provide adaptively secure functional encryption schemes for the inner product functionality which are both efficient and allow for the evaluation of unbounded inner products modulo a prime p. Our constructions rely on new natural cryptographic assumptions in a cyclic group containing a subgroup where the discrete logarithm (DL) problem is easy which extend Castagnos and Laguillaumie's assumption (RSA 2015) of a DDH group with an easy DL subgroup. Instantiating our generic construction using class groups of imaginary quadratic fields gives rise to the most efficient functional encryption for inner products modulo an arbitrary large prime p. One of our schemes outperforms the DCR variant of Agrawal et al.'s protocols in terms of size of keys and ciphertexts by factors varying between 2 and 20 for a 112-bit security.

show abstract

On the Achievability of Simulation-Based Security for Functional Encryption

Cited by 75 publications

References 26 publications

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Simulation-Based Secure Functional Encryption in the Random Oracle Model

Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption

Practical Fully Secure Unrestricted Inner Product Functional Encryption Modulo p

Contact Info

Product

Resources

About