Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening

Bellare, Mihir; Hofheinz, Dennis; Yilek, Scott

doi:10.1007/978-3-642-01001-9_1

Cited by 188 publications

(260 citation statements)

References 42 publications

Supporting

Mentioning

258

Contrasting

Order By: Relevance

“…Specifically, NCER implementations were shown in [JL00,CHK05] under the respective DDH and DCR hardness assumptions, whereas NCES was realized under the DDH assumption in [BHY09]. In this paper we further show how to realize NCES under the DCR assumption.…”

Section: Securitymentioning

confidence: 85%

See 1 more Smart Citation

One-Sided Adaptively Secure Two-Party Computation

Hazay

Patra

2014

Theory of Cryptography

View full text Add to dashboard Cite

Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures real-world scenarios where "hackers" actively break into computers, possibly while they are executing secure protocols. Studying this setting is interesting from both theoretical and practical points of view. A primary building block in designing adaptively secure protocols is a non-committing encryption (NCE) that implements secure communication channels in the presence of adaptive corruptions. Current constructions require a number of public key operations that grows linearly with the length of the message. Furthermore, general two-party protocols require a number of NCE calls that dependents both on the circuit size and the security parameter.In this paper we study the two-party setting in which at most one of the parties is adaptively corrupted, and demonstrate the feasibility of (1) NCE with constant number of public key operations for large message spaces. (2) Oblivious transfer with constant number of public key operations for large sender's input spaces, and (3) constant round secure computation protocols with an overall number of public key operations that is linear in the circuit size. Our study demonstrates that such primitives indeed exist in the presence of single corruptions without erasures, while this is not known for fully adaptive security under standard assumptions (where both parties may get corrupted). Our results are shown in the UC setting with a CRS setup.

show abstract

Section: Securitymentioning

confidence: 85%

“…NCES can be realized under the DDH assumption [BHY09] for polynomial-size message spaces and under the DCR assumption for exponential-size message spaces. The later construction is presented in Section 3.1.1.…”

Section: Public Key Indistinguishabilitymentioning

confidence: 99%

One-Sided Adaptively Secure Two-Party Computation

Hazay

Patra

2014

Theory of Cryptography

View full text Add to dashboard Cite

show abstract

“…For a random variable X, we let x ←$ X denote choosing a value uniformly at random according to (the distribution of) X and assigning it to x. We say a function (1) . We let negl(λ) denote an arbitrary negligible function, poly(λ) a polynomially bounded function and …”

Section: Preliminariesmentioning

confidence: 99%

“…Specifically, Peikert and Waters used LTDFs to construct one-way injective trapdoor functions, collision-resistant hash functions, CPA and CCA-secure encryption 1 , and more. More recently, LTDFs were used to construct deterministic PKE schemes secure in the standard model [3], as well as PKE schemes secure under selective-opening attack [1].…”

Section: Introductionmentioning

confidence: 99%

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Mol

Yilek

2010

Public Key Cryptography – PKC 2010

Self Cite

View full text Add to dashboard Cite

Abstract. Lossy Trapdoor Functions (LTDFs), introduced by Peikert and Waters (STOC 2008) have been useful for building many cryptographic primitives. In particular, by using an LTDF that loses a (1 − 1/ω(log n)) fraction of all its input bits, it is possible to achieve CCA security using the LTDF as a black-box. Unfortunately, not all candidate LTDFs achieve such a high level of lossiness. In this paper we drastically lower the lossiness required to achieve CCA security, showing that an LTDF that loses only a noticeable fraction of a single bit can be used in a black-box way to build CCA-secure PKE. To show our result, we build on the recent result of Rosen and Segev (TCC 2009) that showed how to achieve CCA security from functions whose products are oneway on particular types of correlated inputs. Lastly, we give an example construction of a slightly lossy TDF based on the assumption that it is hard to distinguish the product of two primes from the product of three primes.

show abstract

“…As observed by [31], in the case of PKE, deniability implies a scheme is also non-committing [15,16] and secure under key-revealing selective-opening attacks (SOA-K) [18,6]. On the other hand, it was recently observed by [7] that the notion of simulation-based (SIM) security for FE implicitly incorporates SOA-K. SIM-security is a stronger notion of security for FE than IND-security and has been the subject of multiple recent works [30,12,7,1,17,23,5].…”

Section: Introductionmentioning

confidence: 99%

Deniable Functional Encryption

Caro

Iovino²,

O’Neill

2016

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows a sender and/or receiver of encrypted communication to produce fake but authentic-looking coins and/or secret keys that "open" the communication to a different message. Here we initiate its study for the more general case of functional encryption (FE), as introduced by Boneh et al. (TCC 2011), wherein a receiver in possession of a key k can compute from any encryption of a message x the value F (k, x) according to the scheme's functionality F . Our results are summarized as follows: We put forth and motivate the concept of deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are "normal" and "deniable" secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. This parallels the "multidistributional" model of deniability previously considered for public-key encryption. In the first model, we show that any FE scheme for the general circuit functionality (as several recent candidate construction achieve) can be converted into an FE scheme having receiver deniability, without introducing any additional assumptions. In addition we show an efficient receiver deniable FE for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we show a specific FE scheme for the general circuit functionality having receiver deniability. This result additionally assumes differing-inputs obfuscation and relies on a new technique we call delayed trapdoor circuits. To our knowledge, a scheme in the multi-distributional model was not previously known even in the simpler case of identity-based encryption. Finally, we show that receiver deniability for FE implies some form of simulation security, further motivating study of the latter and implying optimality of our results.

show abstract

Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening

Cited by 188 publications

References 42 publications

One-Sided Adaptively Secure Two-Party Computation

One-Sided Adaptively Secure Two-Party Computation

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions

Deniable Functional Encryption

Contact Info

Product

Resources

About