Presentation is loading. Please wait.

Presentation is loading. Please wait.

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

Published byKristian Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond"β€” Presentation transcript:

1 Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
Yael Kalai Microsoft Research Joint work with: Shafi Goldwasser Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich MIT U Toronto * Thanks to Raluca and Vinod for the slides.

2 Example: Spam Filters Sender Receiver Spam filter 𝐸[π‘’π‘šπ‘Žπ‘–π‘™] FHE.Eval of filter 𝐸[π‘’π‘šπ‘Žπ‘–π‘™] E[spam?] FHE is not enough! Need to decrypt computation result but nothing else!

3 Desired: Functional Encryption (FE) [Boneh-Sahai-Waters11, O’Neill11]
Allows evaluator to decrypt computation result Client 𝐸 π‘₯ 1 ,..,𝐸[ π‘₯ 𝑛 ] Evaluator 𝑠 π‘˜ 𝑓 compute 𝒇 𝒙 𝟏 , …, 𝒇 𝒙 𝒏 Syntax: 𝑀𝑆𝐾, 𝑀𝑃𝐾 ←FE.Setup 1 π‘˜ 𝑐𝑑←FE.Enc 𝑀𝑃𝐾, π‘₯ 𝑠 π‘˜ 𝑓 ←FE.KeyGen 𝑀𝑆𝐾, 𝑓 f π‘₯ ←FE.Dec 𝑠 π‘˜ 𝑓 , 𝑐𝑑 Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]

4 Outline Example: Spam filters
Problem we solve: Functional Encryption (under LWE assumption) Prior work Main Application: Reusable Garbled Circuits Application 2: FHE for Turing machines Application 3: Publicly Verifiable and Secret Delegation Our constructions

5 Prior Work Functional encryption for inner product functions
[Katz-Sahai-Waters’08, Shen-Shi-Waters’09] Public-index functional encryption (also known as ABE or predicate encryption) [Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain- Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko- Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…] [Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where |𝐸 π‘₯ | grows with circuit size (e.g. size of encryption depends on spam filter program size)

6 Open question: Is there a FE scheme for general functions with ciphertext size << circuit size? succinct

7 Our contribution: Succinct functional encryption
Theorem. A FE scheme with succinct ciphertexts for general functions can be constructed from FHE scheme public-index functional encryption scheme Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts (whose size grows with d) for general functions computable by circuits of depth d.

8 Main Application: Reusable Garbled Circuits
Yao garbled circuits [Yao82] Secure two-party computation [Yao86], (Constant round) multi-party computation [BMR90], Parallel cryptography [AIK05], One-time programs [GKR08], Key-dependent message (KDM) security [BHHI09, A11], Outsourcing computation [GGP10], Circuit-private homomorphic encryption [GHV10], and many others

9 Yao Garbled Circuits [Yao 82]
Boolean Circuit C Garbled Circuit GC + x Garble(C) Input 𝒙 Garbled Input π’ˆπ’™ Garble(x) L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0 𝒙= 1

10 Yao Garbled Circuits (Cont.)
Garbled Circuit GC Correctness: Given GC and π’ˆπ’™, can compute C(x). Security (Input & Circuit privacy) Given C(x) and 1|C|, can simulate (GC, π’ˆπ’™). Efficiency: |GC| = p(|C|) and |π’ˆπ’™| = p(|x|) Garbled Input π’ˆπ’™ L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0

11 Yao Garbled Circuits (Cont.)
Garbled Circuit GC Theorem: [Yao86] If one-way functions exist, any polynomial-size circuit family can be garbled. Garbled Input π’ˆπ’™ L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0

12 Drawback: One-time Garbled Circuit GC
insecure to release two encodings π’ˆπ’™ and π’ˆπ’™β€² L1,1 L3,0 L4,1 L2,0 L1,0 𝒙=𝟎𝟏𝟏𝟎 L4,0 π’ˆπ’™ No input or circuit privacy guarantees! Can compute C(x) for unintended inputs x! L2,1 L3,1 𝒙′=𝟏𝟎𝟎𝟏 π’ˆπ’™

13 Main Application: Reusable Garbling
Theorem: Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that: 𝐺𝐢 =poly(𝑛,|C|) 𝑔π‘₯ =poly(𝑛,|π‘₯|,𝑑) where 𝑑 is the depth of 𝐢 (𝑛: security parameter)

14 Application 2: FHE for Turing machines
Evaluator 𝐸[input] Program Client 𝐸[result] circuit size β‰₯ worst-case running time of program Decrypt only the runtime of the instance, to avoid worst-case!

15 Application 3: Publicly-verifiable delegation with secrecy
[Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation [Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation succinct FE publicly-verifiable delegation with secrecy

16 Outline succinct functional encryption LWE public-index FE + FHE +
Yao garbling 1 succinct functional encryption Not today 2 Not today reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

17 Construction of FE

18 Public-Index Functional Encryption (also known as ABE or predicate encryption)
leaks input to the computation 𝑐𝑑←Enc π‘šπ‘π‘˜, π‘₯, π‘š Dec 𝑠 π‘˜ 𝑓 , 𝑐𝑑 = π‘š ,𝑖𝑓 𝑓 π‘₯ =1 βŠ₯ , 𝑖𝑓 𝑓 π‘₯ =0 Variant: 𝑐𝑑←Enc π‘šπ‘π‘˜, π‘₯, π‘š 0 , π‘š 1 Dec 𝑠 π‘˜ 𝑓 , 𝑐𝑑 = π‘š 0 ,𝑖𝑓 𝑓 π‘₯ =1 π‘š 1 , 𝑖𝑓 𝑓 π‘₯ =0 [Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.

19 Intuition IDEA: Start with FHE
π‘₯ ←FHE.Enc π‘₯ 𝑠 π‘˜ 𝑓 ←𝑓 𝑓(π‘₯) ←FHE.Eval(𝑓, π‘₯ ) Not f(𝒙)! IDEA: Start with FHE IDEA: Use (one-time) Yao garbled for decryption

20 Intuition FE.Enc of input π‘₯: FE.KeyGen for circuit f:
π‘₯ ←FHE.Enc π‘₯ 2. Generate garbled circuit Ξ“ and labels 𝐿 0 𝑖 , 𝐿 1 𝑖 𝑖 for Dec π‘ π‘˜ Output π‘₯ , Ξ“ FE.KeyGen for circuit f: 𝑠 π‘˜ 𝑓 ←𝑓 FE.Dec(𝑠 π‘˜ 𝑓 , 𝑐𝑑) should obtain 𝑓(π‘₯): 1. 𝑐𝑑= 𝑓(π‘₯) ←FHE.Eval(𝑓, π‘₯ ) 2. Obtain labels {𝐿 𝑖 𝑐 𝑑 𝑖 } for 𝑓(π‘₯) 3. Compute Gb.Eval Ξ“, 𝐿 𝑖 𝑒 𝑖 and get 𝑓(π‘₯) How??

21 We need.. IDEA: The variant of public-index FE provides exactly this!
if FHE. Eval i (𝑓, π‘₯ ) = 0, get label 𝐿 0 𝑖 , else gets 𝐿 1 𝑖 keep one secret public predicate public input IDEA: The variant of public-index FE provides exactly this! 𝑐𝑑←PI.Enc π‘₯ , 𝐿 0 𝑖 , 𝐿 1 𝑖 ) 𝑠 π‘˜ 𝑓 ←PI.KeyGen 𝑔 𝑖 PI.Dec 𝑠 π‘˜ 𝑓 , 𝑐𝑑 = 𝐿 0 𝑖 ,𝑖𝑓 𝑔 𝑖 π‘₯ =0 𝐿 1 𝑖 , 𝑖𝑓 𝑔 𝑖 π‘₯ =1

22 Intuition FE.Enc of input π‘₯: FE.KeyGen for circuit f:
π‘₯ ←FHE.Enc π‘₯ 2. Generate garbled circuit Ξ“ and labels 𝐿 0 𝑖 , 𝐿 1 𝑖 𝑖 for Dec π‘ π‘˜ 3. c 𝑑 𝑖 ←PI.Enc π‘₯ , 𝐿 0 𝑖 , 𝐿 1 𝑖 ) Output π‘₯ , Ξ“, ct i FE.KeyGen for circuit f: 𝑠 π‘˜ 𝑔 𝑖 ←PI.KeyGen 𝑔 𝑖 , where 𝑔 𝑖 =FHE. Eval i (𝑓,β‹…) FE.Dec(𝑠 π‘˜ 𝑓 , 𝑐𝑑) should obtain 𝑓(π‘₯): 1. 𝑐𝑑= 𝑓(π‘₯) ←FHE.Eval(𝑓, π‘₯ ) 2. Obtain labels {𝐿 𝑖 𝑐 𝑑 𝑖 } for 𝑓(π‘₯) 3. Compute Gb.Eval Ξ“, 𝐿 𝑖 𝑒 𝑖 and get 𝑓(π‘₯)

23 Outline succinct functional encryption public-index FE + FHE +
Yao garbling succinct functional encryption 2 reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

24 Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛(𝐢) Garble(x): 𝑐𝑑←𝐹𝐸.𝐸𝑛𝑐(π‘₯)
Leaks C! IDEA: leverage secrecy of input to hide circuit

25 Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛(𝐸𝑛 𝑐 π‘ π‘˜ 𝐢 ) Garble(x): 𝑐𝑑←𝐹𝐸.𝐸𝑛𝑐(π‘₯,π‘ π‘˜)

26 Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛( π‘ˆ 𝐸𝑛 𝑐 π‘ π‘˜ (𝐢) ) Garble(x): 𝑐𝑑←𝐹𝐸.𝐸𝑛𝑐(π‘₯,π‘ π‘˜) Correctness? π‘ˆ 𝐸 on input π‘ π‘˜ and π‘₯: Decrypt E to obtain C Run 𝐢(π‘₯) Security? Reusability?

27 Summary succinct functional encryption LWE public-index FE + FHE +
Yao garbling 1 succinct functional encryption Not today 2 Not today reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

28 Thank you! + public-index FE succinct functional encryption FHE
LWE succinct functional encryption FHE Yao garbling reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy + 1 2 implication to obfuscation

Download ppt "Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond"

Similar presentations

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.

Ran Canetti, Yael Tauman Kalai, Mayank Varia, Daniel Wichs.
Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.

Controlled Functional Encryption Muhammad Naveed, Shashank Agrawal, Manoj Prabhakaran, Xiaofeng Wang, Erman Ayday, Jean-Pierre Hubaux, Carl A. Gunter.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Twin Clouds: An Architecture for Secure Cloud Computing Term Paper Presented by: Komala Priya Chitturi.

Twin Clouds: An Architecture for Secure Cloud Computing Term Paper Presented by: Komala Priya Chitturi.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.

Nir Bitansky, Ran Canetti, Omer Paneth, Alon Rosen.
How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.

How to Delegate Computations: The Power of No-Signaling Proofs Ron Rothblum Weizmann Institute Joint work with Yael Kalai and Ran Raz.
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai

Nir Bitansky Ran Canetti Henry Cohn Shafi Goldwasser Yael Tauman-Kalai
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.
Simons Institute, Cryptography Boot Camp

Simons Institute, Cryptography Boot Camp
Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.

Remarks on Voting using Cryptography Ronald L. Rivest MIT Laboratory for Computer Science.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Similar presentations

Ads by Google