projective arithmetic functional encryption
play

Projective Arithmetic Functional Encryption and - PowerPoint PPT Presentation

Sep 30, 2022 •240 likes •649 views

Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13,

  1. Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (iO) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai

  2. Constructions of iO All current constructions of iO are based on multilinear maps [GGHRSW13, BR14, BGKPS14, PST14, AGIS14, …, AB15, Zim15, GLSW15, GMMSZ16, Lin16a, LV16, Lin16b, …] Multilinear maps: generalization of bilinear maps • Degree-D multilinear maps: can compute degree-D • polynomials in the exponents of the group

  3. What is the minimum degree of multilinear maps required to construct iO? Ideal Goal: 2 large poly(k) 32 constant [LV’16] [Lin’16] Original works [GGHRSW’13, BGKPS’14, …]: • degree = polynomial in security parameter Lin’16: degree = constant • LV’16: degree = 32 •

  4. This Work iO from degree- 5 multinear maps Ideal Goal: 2 5 32 large poly(k,|C|) [LV’16] constant [Lin’16] A new template to construct iO from constant degree multilinear maps

  5. Prior Works [Lin’16,LV’16] Collusion-Resistant Constant Degree Functional Encryption iO Mmaps for boolean circuits

  6. Prior Works [Lin’16,LV’16] Collusion-Resistant Constant Degree Functional Encryption iO Mmaps for boolean circuits MMap computations performed over large fields - To construct FE from mmaps: need to “arithmetize” the boolean circuits -

  7. Our Template Projective Arithmetic Constant Degree FE iO Mmaps for arithmetic circuits PAFE is a version of functional encryption for arithmetic circuits -

  8. Our Template (in detail) Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- D randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  9. Instantiation iO Projective Arithmetic from Degree- 5 FE for degree-5 Multilinear maps multilinear Degree- 5 (subexp. secure) maps! polynomials (subexp. secure) + degree- 5 randomizing polynomials (assumes degree-5 PRGs (Secret Key) [BNPW16, LPST15, AJ15, BV15] with poly stretch) Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  10. Instantiation iO Projective Arithmetic from Degree- 5 FE for degree-5 Multilinear maps multilinear Degree- 5 (subexp. secure) maps! polynomials (subexp. secure) + CONCURRENT WORK: degree- 5 Lin’17 built iO assuming randomizing joint SXDH on degree-5 mmaps polynomials (assumes degree-5 PRGs (Secret Key) [BNPW16, LPST15, AJ15, BV15] with poly stretch) Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  11. Technical Overview

  12. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  13. Projective Arithmetic FE (PAFE) • FIRST ATTEMPT: Same syntax as FE for boolean circuits except that functional keys issued for polynomials (over large fields) Encryption of x + Key of polynomial p := p ( x ) ISSUE: Current techniques are a limiting factor ! If p(x) is large, we don’t know how to construct this notion - Reason: Decryption in existing FE schemes yields Encoding(p(x)) - and can decode only if p(x) is small

  14. Projective Arithmetic FE (PAFE) p 1 p 2 p 3 Key Generation x sk p1 sk p2 sk p3 Encryption + + + … Enc(x) Projective Decrypt ENCODINGS: p 1 (x) p 2 (x) p 3 (x) Can recover linear function of (p 1 (x),p 2 (x),p 3 (x),…) if output of linear function is “small”

  15. Efficiency • Linear Overhead: • Size of encryption of y := |y| poly(k,D) D - degree of polynomials Security • Semi-functional security: • Inspired by ABE literature [ Wat09,LOS+10,…,GGHZ14 ] • Captures a weak form of function hiding

  16. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- D randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  17. Sub-linear (Secret Key) FE for Boolean circuits SUB-LINEARITY |Enc(x)| = |C| e poly(k,|x|) ; e <1

  18. Randomizing Polynomials C Encode … p N p 1 p 2 … + + + (x, r ) … … Decode + + = C(x) p 1 (x,r) p 2 (x,r) p N (x,r) If all p i is of degree D then it is a degree-D randomizing polynomial

  19. Construction of Sub-linear FE Key Generation of C: C Randomizing Polynomial of C … p N p 1 p 2 PAFE key generation of p 1 ,…,p N … sk pN sk p1 sk p2 Functional key of C = (sk p1 , … , sk pN )

  20. Construction of Sub-linear FE C Key Generation of C: … p N p 1 p 2 … sk pN sk p1 sk p2 Encryption of x: x (x, r ) r

  21. Construction of Sub-linear FE C Key Generation of C: … p N p 1 p 2 SUB-LINEARITY PROPERTY of randomizing polynomials: … sk pN sk p1 sk p2 |r| is sublinear in the length of circuit description Encryption of x: x (x, r ) r

  22. Construction of Sub-linear FE Decryption (INTUITION) : Execute PAFE ProjectiveDecrypt - Execute Recover to obtain encoding of (C,x) - Execute the decoding procedure -

  23. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Compress randomness using PRGs! - Use degree 5 PRGs - (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  24. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Goldreich PRG candidate: Analysed by O’Donnell and Witmer'14 Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Compress randomness using PRGs! - Use degree 5 PRGs - (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  25. Instantiation of degree-5 randomizing polynomials (with sub-linearity property) WARMUP: Consider degree-3 randomizing polynomials - [AIK’06] (without sub-linearity property) Degree-5 randomizing polynomials: Compress randomness using PRGs! - We use pre-processing trick! Use degree 5 PRGs - (pre-compute some partial terms ahead of time) (maps seed of length n to n 1.49 ) TOTAL DEGREE = 5 * 3 = 15

  26. Our Template Projective Arithmetic Degree- D FE for Multilinear maps Degree- D (subexp. secure) polynomials (subexp. secure) + degree- randomizing polynomials (Secret Key) [BNPW16, LPST15, AJ15, BV15] Sub-linear iO FE for P + sub-exponential LWE (subexp. secure)

  27. Slotted Encodings An abstraction of composite order multi-linear maps Encoding of (a,b,c) w.r.t color: a b c + = Addition w.r.t same color: a 1 +a 2 b 1 +b 2 c 1 +c 2 a 1 b 1 c 1 a 2 b 2 c 2 Multiplication w.r.t = a 1* a 2 a 1 b 1 c 1 a 2 b 2 c 2 b 1* b 2 c 1* c 2 * “compatible” colors: Zero Test w.r.t is ZERO if and only if a+b+c=0 a b c color red:

  28. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 a 1 b 1 c 1 a 2 b 2 c 2 ,

  29. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u 1 , u 2 , u 3 , v 1 , v 2 , v 3 a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , such that < u i , v j > = 1, if i=j = 0, otherwise

  30. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 Pick vectors u 1 , u 2 , u 3 , v 1 , v 2 , v 3 a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , Dual vector spaces! [OT08,OT09,BJK15] such that < u i , v j > = 1, if i=j = 0, otherwise

  31. Degree-D Slotted Encodings from Degree-D Prime order mmap Degree-D slotted encodings: if it allows for evaluating polynomials of degree at most D SIMPLE CASE: Degree=2 < > , a 1 u 1 + b 1 u 2 + c 1 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 = a 1 a 2 + b 1 b 2 + c 1 c 2

  32. Degree-D Slotted Encodings from Degree-D Prime order mmap Higher (constant) degrees: tensoring of dual vector spaces Example: Degree=3 < > , a 1 w 1 u 1 + b 1 w 2 u 2 + c 1 w 3 u 3 a 2 v 1 + b 2 v 2 + c 2 v 3 , … = a 1 a 2 w 1 + b 1 b 2 w 2 + c 1 c 2 w 3

  33. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: p , 0 p(R 1 ,…,R n ) 0 WHY IS IT SECURE? p(R 1 ,…,R n ) in second slot “forces” homomorphic evaluation of p on ciphertext encodings

  34. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: p , 0 p(R 1 ,…,R n ) 0 MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

  35. Construction of PAFE (Intuition) Setup: Pick R 1 ,…,R n Encryption of x: … x 1 R 1 0 x 2 R 2 0 x n R n 0 Key Generation of polynomial p: Prevented by having p , 0 p(R 1 ,…,R n ) “ciphertext-specific" checks! 0 MAIN ISSUE: Mix-and-match attacks encodings from different ciphertexts can be mixed

Recommend

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional

Functional Encryption Lecture 23 ABE from LWE Functional Encryption f g h KeyGen PK SK SK f PK f(x) Dec SK g x g(x) Enc Dec Ciphertext SK h h(x) Dec Index-Payload Functions Message x=(

168 views • 13 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana

Multi-input Inner-Product Functional Encryption from Pairings Michel Abdalla, CNRS and ENS Romain Gay, ENS Mariana Raykova, Yale University Hoeteck Wee, CNRS and ENS Functional Encryption [Boneh, Sahai, Waters 11] m Alice Functional

585 views • 40 slides
Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019 Functional Encryption for Set Operations n evaluate i = 1 S i S 1 S 2 S n

707 views • 32 slides
Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David

Unbounded Inner Product Functional Encryption, with Succinct Keys Edouard Dufour Sans and David Pointcheval Ecole Normale Sup erieure INRIA June 6, 2019 Table of Contents Background Functional Encryption ABDP Applications of Inner

970 views • 51 slides
Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents Introduction Functional Encryption Security definitions Notations The Power of Inner Products Descriptive statistics Machine Learning Practical

930 views • 65 slides
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim , Miran Kim , Yongsoo Song Seoul National University University of

601 views • 29 slides
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim ,

Homomorphic Encryption for Arithmetic of Approximate Numbers Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon , Andrey Kim , Miran Kim , Yongsoo Song Seoul National University University of

871 views • 22 slides
Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank

Functional Encryption: Deterministic to Randomized Functions from Simple Assumptions Shashank Agrawal David J. Wu Public-Key Functional Encryption [BSW11, ON10] () Keys are associated with deterministic functions sk

1.47k views • 99 slides
Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu

Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu

Introduction Herbrand Dialectica interpretation Unifying functional interpretations Discussion and summary Unifying functional interpretations of nonstandard/uniform arithmetic Chuangjie Xu Ludwig-Maximilians-Universit at M unchen

571 views • 18 slides
Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp;

Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp;

Functional Verification of Arithmetic Circuits Maciej Ciesielski Department of Electrical &amp; Computer Engineering University of Massachusetts, Amherst ciesiel@ecs.umass.edu Outline Introduction Hardware verification methods, focus on

1.02k views • 82 slides
Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov Gil Segev Hebrew University This Talk A framework for proving impossibility results for commonly-used non-black-box techniques Limits on

596 views • 22 slides
Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse,

Simple Functional Encryption Schemes for Inner Products Michel Abdalla ( B ) , Florian Bourse, Angelo De Caro, and David Pointcheval ENS, CNRS, INRIA, and PSL, 45 Rue dUlm, 75230 Paris Cedex 05, France {

535 views • 19 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De

Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De

Overview of the results The Framework Work in progress Simple Functional Encryption Schemes for Inner Products Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Ecole normale sup erieure, CNRS, INRIA, PSL, Paris,

866 views • 71 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides
Partially Encrypted Machine Learning using Functional Encryption eo Ryffel 1,2 Edouard Dufour-Sans

Partially Encrypted Machine Learning using Functional Encryption eo Ryffel 1,2 Edouard Dufour-Sans

Partially Encrypted Machine Learning using Functional Encryption eo Ryffel 1,2 Edouard Dufour-Sans 1 Romain Gay 1,3 Th Francis Bach 2,1 David Pointcheval 1,2 1 Ecole Normale Sup erieure 2 INRIA 3 UC Berkeley August 18, 2019 Table of

418 views • 38 slides
Computer Vision Mid-Level Vision Projective Geometry The projective projection of a 3D point:

Computer Vision Mid-Level Vision Projective Geometry The projective projection of a 3D point:

Computer Vision Mid-Level Vision Projective Geometry The projective projection of a 3D point: For the fundamental matrix: Ambiguity Projective ambiguity 2D projective plane Ideal points: Conics FIVE POINTS DEFIN E A CONIC Dual conics

519 views • 31 slides
Dynamic Decentralized Functional Encryption Jrmy Chotard, Edouard Dufour Sans , Romain Gay,

Dynamic Decentralized Functional Encryption Jrmy Chotard, Edouard Dufour Sans , Romain Gay,

Dynamic Decentralized Functional Encryption Jrmy Chotard, Edouard Dufour Sans , Romain Gay, Duong Hieu Phan, and David Pointcheval CRYPTO 2020, Monday August 17th 2020 The technological landscape of the early 21st century Lots of data. +

667 views • 48 slides
Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and

Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and

Multi-Input Functional Encryption for Inner Products: Function-Hiding Realizations and Constructions without Pairings Michel Abdalla Dario Catalano Dario Fiore Romain Gay Bogdan Ursu August 21, 2018 August 21, 2018 1 / 30 Motivation - Spam

552 views • 31 slides
Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain

Robust Transforming Combiners from iO to Functional Encryption Prabhanjan Ananth Aayush Jain Amit Sahai Since 2013 Two-Round (Adaptive) Multi-Party Computation Instantiating Random Oracles Non-Interactive Multi-party Key

1.33k views • 111 slides
Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity

Functional lower bounds for arithmetic circuits and connections to boolean circuit complexity Michael Forbes Mrinal Kumar Ramprasad Saptharishi Princeton University Rutgers University T el Aviv University Computational Complexity

1.35k views • 107 slides
Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides

More recommend