1 / 28

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond. Yael Kalai Microsoft Research. Joint work with:. Shafi Goldwasser Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich. MIT MIT U Toronto MIT. * Thanks to Raluca and Vinod for the slides.

nanji
Download Presentation

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Succinct Functional Encryption:dReusable Garbled Circuits and Beyond Yael Kalai Microsoft Research Joint work with: Shafi Goldwasser Raluca Ada Popa Vinod Vaikuntanathan NickolaiZeldovich MIT MIT U Toronto MIT * Thanks to Raluca and Vinod for the slides.

  2. Example: Spam Filters Sender Receiver Spam filter FHE.Eval of filter E[spam?] FHE is not enough! Need to decrypt computation result but nothing else!

  3. Desired: Functional Encryption (FE)[Boneh-Sahai-Waters11, O’Neill11] Allows evaluator to decrypt computation result Client Evaluator compute Syntax: Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]

  4. Outline • Example: Spam filters • Problem we solve: Functional Encryption (under LWE assumption) • Prior work • Main Application: Reusable Garbled Circuits • Application 2: FHE for Turing machines • Application 3: Publicly Verifiable and Secret Delegation • Our constructions

  5. Prior Work • Functional encryption for inner product functions [Katz-Sahai-Waters’08, Shen-Shi-Waters’09] • Public-indexfunctional encryption (also known as ABE or predicate encryption) [Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain- Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko- Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…] • [Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where grows with circuit size (e.g. size of email encryption depends on spam filter program size)

  6. Open question: Is there a FE scheme for general functions with ciphertext size << circuit size? succinct

  7. Our contribution:Succinct functional encryption Theorem.A FE scheme with succinct ciphertextsfor general functions can be constructed from FHE scheme public-index functional encryption scheme Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts(whose size growswith d) for general functions computable by circuits of depth d.

  8. Main Application: Reusable Garbled Circuits Yao garbled circuits [Yao82] • Secure two-party computation [Yao86], • (Constant round) multi-party computation [BMR90], • Parallel cryptography [AIK05], • One-time programs [GKR08], • Key-dependent message (KDM) security [BHHI09, A11], • Outsourcing computation [GGP10], • Circuit-private homomorphicencryption [GHV10], • and many others

  9. Yao Garbled Circuits[Yao 82] Garbled Circuit GC Boolean Circuit C 01010010 01110110 + Garble(C) 01010010 11100010 11010010 01010011 x x 01010011 11111101 + L1,0 L2,0 L1,1 L2,1 Input Garbled Input Garble(x) 1 1 0 0 L3,0 L4,0 L3,1 L4,1

  10. Yao Garbled Circuits (Cont.) Garbled Circuit GC • Correctness:Given GCand, can compute C(x). 01010010 01110110 01010010 11100010 11010010 01010011 • Security(Input & Circuit privacy) 01010011 11111101 Given C(x) and 1|C|, can simulate (GC, ). L1,0 L2,0 L1,1 L2,1 • Efficiency:|GC| = p(|C|) and || = p(|x|) Garbled Input L3,0 L4,0 L3,1 L4,1

  11. Yao Garbled Circuits (Cont.) Garbled Circuit GC 01010010 01110110 01010010 11100010 Theorem: [Yao86] 11010010 01010011 If one-way functions exist, any polynomial-size circuit family can be garbled. 01010011 11111101 L1,0 L2,0 L1,1 L2,1 Garbled Input L3,0 L4,0 L3,1 L4,1

  12. Drawback: One-time Garbled Circuit GC 01010010 01110110 01010010 11100010 11010010 01010011 insecure to release two encodings and 01010011 11111101 L1,0 L2,0 L3,0 L4,0 No input or circuit privacy guarantees! Can compute C(x) for unintended inputs x! L1,1 L3,1 L2,1 L4,1

  13. Main Application:Reusable Garbling Theorem: 01010010 Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that: 01010010 11010010 01010011 • poly(,|C|) • poly(where is the depth of (: security parameter)

  14. Application 2: FHE for Turing machines Evaluator Program Client circuit size worst-case running time of program Decrypt only the runtime of the instance, to avoid worst-case!

  15. Application 3: Publicly-verifiable delegation with secrecy • [Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation • [Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation succinct FE publicly-verifiable delegation with secrecy

  16. Outline LWE public-index FE + FHE + Yao garbling 1 succinct functional encryption Not today Not today 2 reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

  17. Construction of FE

  18. Public-Index Functional Encryption(also known as ABE or predicate encryption) leaks input to the computation Variant: [Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.

  19. Intuition Not f! IDEA: Start with FHE IDEA: Use (one-time) Yao garbled for decryption

  20. Intuition FE.Enc of input : 2. Generate garbled circuit and labels for Output FE.KeyGen for circuit f: FE.Dec(should obtain : 2. Obtain labels for 3. Compute and get How??

  21. We need.. if , ) = 0, get label else gets keep one secret public input public predicate IDEA: The variant of public-index FE provides exactly this! • =

  22. Intuition FE.Enc of input : 2. Generate garbled circuit and labels for 3. Output FE.KeyGen for circuit f: , where FE.Dec(should obtain : 2. Obtain labels for 3. Compute and get

  23. Outline public-index FE + FHE + Yao garbling succinct functional encryption 2 publicly-verifiable delegation with secrecy reusable garbled circuits & FHE with input-specific efficiency implication to obfuscation

  24. Intuition Garble(C): Garble(x): Leaks C! IDEA: leverage secrecy of input to hide circuit

  25. Intuition Garble(C): Garble(x):

  26. Intuition Garble(C): Garble(x): Correctness? • on input and : • Decrypt to obtain • Run Security? Reusability?

  27. Summary LWE public-index FE + FHE + Yao garbling 1 succinct functional encryption Not today Not today 2 reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

  28. Thank you! LWE public-index FE + FHE + Yao garbling 1 succinct functional encryption 2 reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

More Related