In this work, we study what minimal sets of assumptions suffice for constructing indistinguishabi... more In this work, we study what minimal sets of assumptions suffice for constructing indistinguishability obfuscation (iO). We prove: Theorem(Informal): Assume sub-exponential security of the following assumptions: • the Learning Parity with Noise (LPN) assumption over general prime fields Fp with polynomially many LPN samples and error rate 1/k , where k is the dimension of the LPN secret, and δ > 0 is any constant; • the existence of a Boolean Pseudo-Random Generator (PRG) in NC with stretch n , where n is the length of the PRG seed, and τ > 0 is any constant; • the Decision Linear (DLIN) assumption on symmetric bilinear groups of prime order. Then, (subexponentially secure) indistinguishability obfuscation for all polynomial-size circuits exists. Further, assuming only polynomial security of the aforementioned assumptions, there exists collusion resistant public-key functional encryption for all polynomial-size circuits. This removes the reliance on the Learning With Errors (LW...
We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PID... more We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PIDP). The problem is parameterized by a set of polynomials Q = (q1, . . . , qm) where each qi : R → R and an input distribution D over the reals. The goal of the problem is to distinguish a tuple of the form {qi, qi(x)}i∈[m] from {qi, qi(xi)}i∈[m] where x,x1, . . . ,xm are each sampled independently from the distribution D. Refutation and search versions of this problem are conjectured to be hard in general for polynomial time algorithms (Feige, STOC 02) and are also subject to known theoretical lower bounds for various hierarchies (such as Sum-of-Squares and Sherali-Adams). Nevertheless, we show polynomial time distinguishers for the problem in several scenarios, including settings where such lower bounds apply to the search or refutation versions of the problem. Our results apply to the setting when each polynomial is a constant degree multilinear polynomial. We show that this natural pr...
Harmony Search and Nature Inspired Optimization Algorithms, 2018
Over the past few years, several lightweight ciphers have been proposed to supplement the Interne... more Over the past few years, several lightweight ciphers have been proposed to supplement the Internet of Things (IOT). FeW is one of the lightweight ciphers, which uses a mix of Feistel and generalized Feistel structures to achieve high efficiency in software-based department. This paper focuses on the analysis of lightweight block cipher FeW using the machine learning approach. This approach involves using artificial neural network to find the inherited biases present in the design of FeW.
A witness encryption (WE) scheme can take any \({{\textsf {NP}}}\) statement as a public-key and ... more A witness encryption (WE) scheme can take any \({{\textsf {NP}}}\) statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial \(2^{m}\) bound for \({{\textsf {NP}}}\) relations with witness size m. We show how to construct such XWE schemes for all of \({{\textsf {NP}}}\) with encryption run-time \(2^{m/2}\) under the sub-exponential learning with errors (LWE) assumption. For \({{\textsf {NP}}}\) relations that can be verified in \({{\textsf {NC}}^1}\) (e.g., SAT) we can also construct such XWE schemes under the sub-exponential Decisional Bilinear Diffie-H...
An affine determinant program ADP : {0, 1} → {0, 1} is specified by a tuple (A, B1, . . . , Bn) o... more An affine determinant program ADP : {0, 1} → {0, 1} is specified by a tuple (A, B1, . . . , Bn) of square matrices over Fq and a function Eval : Fq → {0, 1}, and evaluated on x ∈ {0, 1} by computing Eval(det(A + ∑ i∈[n] xiBi)). In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation. As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation.
We formally define and give the first construction of (leveled) threshold fully homomorphic encry... more We formally define and give the first construction of (leveled) threshold fully homomorphic encryption for any access structure induced by a monotone boolean formula and in particular for the threshold access structure. Our construction is based on the learning with errors assumption and can be instantiated with any existing homomorphic encryption scheme that satisfies fairly general conditions, such as Gentry, Sahai, Waters (CRYPTO 2013) and Brakerski, Gentry, Vaikuntanathan (ITCS 2012). From threshold homomorphic encryption, we construct function secret sharing and distributed pseudorandom functions for the aforementioned access structures. No such constructions were known prior to this work.
The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, sign... more The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. All known approaches to constructing iO rely on d-linear maps which allow the encoding of elements from a large domain, evaluating degree d polynomials on them, and testing if the output is zero. While secure bilinear maps are well established in cryptographic literature, the security of candidates for d > 2 is poorly understood. We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of d-linear maps of degree d ≥ 3. At the heart of our approach is the assumption that a new weak pseudorandom object exists, that we call a perturbation resilient generator (∆RG). Informally, a ∆RG maps n integers to m integers, and has the property that for any sufficiently short vector a ∈ Z, all efficient adversaries must fail to distinguish the distrib...
Security amplification is a fundamental problem in cryptography. In this work, we study security ... more Security amplification is a fundamental problem in cryptography. In this work, we study security amplification for functional encryption (FE). We show two main results: For any constant \(\epsilon \in (0,1)\), we can amplify any FE scheme for \(\mathsf {P/poly}\) which is \(\epsilon \)-secure against all polynomial sized adversaries to a fully secure FE scheme for \(\mathsf {P/poly}\), unconditionally. For any constant \(\epsilon \in (0,1)\), we can amplify any FE scheme for \(\mathsf {P/poly}\) which is \(\epsilon \)-secure against subexponential sized adversaries to a fully subexponentially secure FE scheme for \(\mathsf {P/poly}\), unconditionally.
In this work, we introduce and construct D-restricted Functional Encryption (FE) for any constant... more In this work, we introduce and construct D-restricted Functional Encryption (FE) for any constant D ≥ 3, based only on the SXDH assumption over bilinear groups. This generalizes the notion of 3-restricted FE recently introduced and constructed by Ananth et al. (ePrint 2018) in the generic bilinear group model. A D = (d+ 2)-restricted FE scheme is a secret key FE scheme that allows an encryptor to efficiently encrypt a message of the form M = (x,y,z). Here, x ∈ Fd×n p and y,z ∈ Fp. Function keys can be issued for a function f = ΣI=(i1,..,id,j,k) cI ·x[1, i1] · · ·x[d, id] · y[j] · z[k] where the coefficients cI ∈ Fp. Knowing the function key and the ciphertext, one can learn f(x,y,z), if this value is bounded in absolute value by some polynomial in the security parameter and n. The security requirement is that the ciphertext hides y and z, although it is not required to hide x. Thus x can be seen as a public attribute. D-restricted FE allows for useful evaluation of constant-degree p...
In this work, we explore the question of simultaneous privacy and soundness amplification for non... more In this work, we explore the question of simultaneous privacy and soundness amplification for non-interactive zero-knowledge argument systems (NIZK). We show that any \(\delta _s-\)sound and \(\delta _z-\)zero-knowledge NIZK candidate satisfying \(\delta _s+\delta _z=1-\epsilon \), for any constant \(\epsilon >0\), can be turned into a computationally sound and zero-knowledge candidate with the only extra assumption of a subexponentially secure public-key encryption.
The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, sign... more The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. A recent line of work [Ananth, Jain, and Sahai, 2018; Aggrawal, 2018; Lin and Matt, 2018; Jain, Lin, Matt, and Sahai, 2019] has developed a new theory for building iO from simpler building blocks, and represents the state of the art in constructing iO from succinct and instance-independent assumptions. This line of work has culminated in a construction of iO from four assumptions, consisting of two standard assumptions, namely sub-exponentially secure LWE and SXDH over bilinear groups, and two other pseudorandomness assumptions: The first assumes weak pseudorandomness properties of generators computable by constant-degree polynomials over the integers, as well as an LWE leakage assumption, introduced by [Jain, Lin, Matt, and Sahai, 2019]. The second assumes the existence of Boolean PRGs with constant block localit...
In this work, we study what minimal sets of assumptions suffice for constructing indistinguishabi... more In this work, we study what minimal sets of assumptions suffice for constructing indistinguishability obfuscation (iO). We prove: Theorem(Informal): Assume sub-exponential security of the following assumptions: • the Learning Parity with Noise (LPN) assumption over general prime fields Fp with polynomially many LPN samples and error rate 1/k , where k is the dimension of the LPN secret, and δ > 0 is any constant; • the existence of a Boolean Pseudo-Random Generator (PRG) in NC with stretch n , where n is the length of the PRG seed, and τ > 0 is any constant; • the Decision Linear (DLIN) assumption on symmetric bilinear groups of prime order. Then, (subexponentially secure) indistinguishability obfuscation for all polynomial-size circuits exists. Further, assuming only polynomial security of the aforementioned assumptions, there exists collusion resistant public-key functional encryption for all polynomial-size circuits. This removes the reliance on the Learning With Errors (LW...
We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PID... more We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PIDP). The problem is parameterized by a set of polynomials Q = (q1, . . . , qm) where each qi : R → R and an input distribution D over the reals. The goal of the problem is to distinguish a tuple of the form {qi, qi(x)}i∈[m] from {qi, qi(xi)}i∈[m] where x,x1, . . . ,xm are each sampled independently from the distribution D. Refutation and search versions of this problem are conjectured to be hard in general for polynomial time algorithms (Feige, STOC 02) and are also subject to known theoretical lower bounds for various hierarchies (such as Sum-of-Squares and Sherali-Adams). Nevertheless, we show polynomial time distinguishers for the problem in several scenarios, including settings where such lower bounds apply to the search or refutation versions of the problem. Our results apply to the setting when each polynomial is a constant degree multilinear polynomial. We show that this natural pr...
Harmony Search and Nature Inspired Optimization Algorithms, 2018
Over the past few years, several lightweight ciphers have been proposed to supplement the Interne... more Over the past few years, several lightweight ciphers have been proposed to supplement the Internet of Things (IOT). FeW is one of the lightweight ciphers, which uses a mix of Feistel and generalized Feistel structures to achieve high efficiency in software-based department. This paper focuses on the analysis of lightweight block cipher FeW using the machine learning approach. This approach involves using artificial neural network to find the inherited biases present in the design of FeW.
A witness encryption (WE) scheme can take any \({{\textsf {NP}}}\) statement as a public-key and ... more A witness encryption (WE) scheme can take any \({{\textsf {NP}}}\) statement as a public-key and use it to encrypt a message. If the statement is true then it is possible to decrypt the message given a corresponding witness, but if the statement is false then the message is computationally hidden. Ideally, the encryption procedure should run in polynomial time, but it is also meaningful to define a weaker notion, which we call non-trivially exponentially efficient WE (XWE), where the encryption run-time is only required to be much smaller than the trivial \(2^{m}\) bound for \({{\textsf {NP}}}\) relations with witness size m. We show how to construct such XWE schemes for all of \({{\textsf {NP}}}\) with encryption run-time \(2^{m/2}\) under the sub-exponential learning with errors (LWE) assumption. For \({{\textsf {NP}}}\) relations that can be verified in \({{\textsf {NC}}^1}\) (e.g., SAT) we can also construct such XWE schemes under the sub-exponential Decisional Bilinear Diffie-H...
An affine determinant program ADP : {0, 1} → {0, 1} is specified by a tuple (A, B1, . . . , Bn) o... more An affine determinant program ADP : {0, 1} → {0, 1} is specified by a tuple (A, B1, . . . , Bn) of square matrices over Fq and a function Eval : Fq → {0, 1}, and evaluated on x ∈ {0, 1} by computing Eval(det(A + ∑ i∈[n] xiBi)). In this work, we suggest ADPs as a new framework for building general-purpose obfuscation and witness encryption. We provide evidence to suggest that constructions following our ADP-based framework may one day yield secure, practically feasible obfuscation. As a proof-of-concept, we give a candidate ADP-based construction of indistinguishability obfuscation (iO) for all circuits along with a simple witness encryption candidate. We provide cryptanalysis demonstrating that our schemes resist several potential attacks, and leave further cryptanalysis to future work. Lastly, we explore practically feasible applications of our witness encryption candidate, such as public-key encryption with near-optimal key generation.
We formally define and give the first construction of (leveled) threshold fully homomorphic encry... more We formally define and give the first construction of (leveled) threshold fully homomorphic encryption for any access structure induced by a monotone boolean formula and in particular for the threshold access structure. Our construction is based on the learning with errors assumption and can be instantiated with any existing homomorphic encryption scheme that satisfies fairly general conditions, such as Gentry, Sahai, Waters (CRYPTO 2013) and Brakerski, Gentry, Vaikuntanathan (ITCS 2012). From threshold homomorphic encryption, we construct function secret sharing and distributed pseudorandom functions for the aforementioned access structures. No such constructions were known prior to this work.
The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, sign... more The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. All known approaches to constructing iO rely on d-linear maps which allow the encoding of elements from a large domain, evaluating degree d polynomials on them, and testing if the output is zero. While secure bilinear maps are well established in cryptographic literature, the security of candidates for d > 2 is poorly understood. We propose a new approach to constructing iO for general circuits. Unlike all previously known realizations of iO, we avoid the use of d-linear maps of degree d ≥ 3. At the heart of our approach is the assumption that a new weak pseudorandom object exists, that we call a perturbation resilient generator (∆RG). Informally, a ∆RG maps n integers to m integers, and has the property that for any sufficiently short vector a ∈ Z, all efficient adversaries must fail to distinguish the distrib...
Security amplification is a fundamental problem in cryptography. In this work, we study security ... more Security amplification is a fundamental problem in cryptography. In this work, we study security amplification for functional encryption (FE). We show two main results: For any constant \(\epsilon \in (0,1)\), we can amplify any FE scheme for \(\mathsf {P/poly}\) which is \(\epsilon \)-secure against all polynomial sized adversaries to a fully secure FE scheme for \(\mathsf {P/poly}\), unconditionally. For any constant \(\epsilon \in (0,1)\), we can amplify any FE scheme for \(\mathsf {P/poly}\) which is \(\epsilon \)-secure against subexponential sized adversaries to a fully subexponentially secure FE scheme for \(\mathsf {P/poly}\), unconditionally.
In this work, we introduce and construct D-restricted Functional Encryption (FE) for any constant... more In this work, we introduce and construct D-restricted Functional Encryption (FE) for any constant D ≥ 3, based only on the SXDH assumption over bilinear groups. This generalizes the notion of 3-restricted FE recently introduced and constructed by Ananth et al. (ePrint 2018) in the generic bilinear group model. A D = (d+ 2)-restricted FE scheme is a secret key FE scheme that allows an encryptor to efficiently encrypt a message of the form M = (x,y,z). Here, x ∈ Fd×n p and y,z ∈ Fp. Function keys can be issued for a function f = ΣI=(i1,..,id,j,k) cI ·x[1, i1] · · ·x[d, id] · y[j] · z[k] where the coefficients cI ∈ Fp. Knowing the function key and the ciphertext, one can learn f(x,y,z), if this value is bounded in absolute value by some polynomial in the security parameter and n. The security requirement is that the ciphertext hides y and z, although it is not required to hide x. Thus x can be seen as a public attribute. D-restricted FE allows for useful evaluation of constant-degree p...
In this work, we explore the question of simultaneous privacy and soundness amplification for non... more In this work, we explore the question of simultaneous privacy and soundness amplification for non-interactive zero-knowledge argument systems (NIZK). We show that any \(\delta _s-\)sound and \(\delta _z-\)zero-knowledge NIZK candidate satisfying \(\delta _s+\delta _z=1-\epsilon \), for any constant \(\epsilon >0\), can be turned into a computationally sound and zero-knowledge candidate with the only extra assumption of a subexponentially secure public-key encryption.
The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, sign... more The existence of secure indistinguishability obfuscators (iO) has far-reaching implications, significantly expanding the scope of problems amenable to cryptographic study. A recent line of work [Ananth, Jain, and Sahai, 2018; Aggrawal, 2018; Lin and Matt, 2018; Jain, Lin, Matt, and Sahai, 2019] has developed a new theory for building iO from simpler building blocks, and represents the state of the art in constructing iO from succinct and instance-independent assumptions. This line of work has culminated in a construction of iO from four assumptions, consisting of two standard assumptions, namely sub-exponentially secure LWE and SXDH over bilinear groups, and two other pseudorandomness assumptions: The first assumes weak pseudorandomness properties of generators computable by constant-degree polynomials over the integers, as well as an LWE leakage assumption, introduced by [Jain, Lin, Matt, and Sahai, 2019]. The second assumes the existence of Boolean PRGs with constant block localit...
Uploads
Papers by Aayush Jain