## CryptoDB

### Monosij Maitra

#### Publications

**Year**

**Venue**

**Title**

2020

PKC

Adaptive Simulation Security for Inner Product Functional Encryption
📺
Abstract

Inner product functional encryption ( $${mathsf {IPFE}}$$ ) [ 1 ] is a popular primitive which enables inner product computations on encrypted data. In $${mathsf {IPFE}}$$ , the ciphertext is associated with a vector $$varvec{x}$$ , the secret key is associated with a vector $$varvec{y}$$ and decryption reveals the inner product $$langle varvec{x},varvec{y}
angle $$ . Previously, it was known how to achieve adaptive indistinguishability ( $$mathsf {IND}$$ ) based security for $${mathsf {IPFE}}$$ from the $$mathsf {DDH}$$ , $$mathsf {DCR}$$ and $$mathsf {LWE}$$ assumptions [ 8 ]. However, in the stronger simulation ( $$mathsf {SIM}$$ ) based security game, it was only known how to support a restricted adversary that makes all its key requests either before or after seeing the challenge ciphertext, but not both. In more detail, Wee [ 46 ] showed that the $$mathsf {DDH}$$ -based scheme of Agrawal et al. (Crypto 2016) achieves semi-adaptive simulation-based security, where the adversary must make all its key requests after seeing the challenge ciphertext. On the other hand, O’Neill showed that all $$mathsf {IND}$$ -secure $${mathsf {IPFE}}$$ schemes (which may be based on $$mathsf {DDH}$$ , $$mathsf {DCR}$$ and $$mathsf {LWE}$$ ) satisfy $$mathsf {SIM}$$ based security in the restricted model where the adversary makes all its key requests before seeing the challenge ciphertext. In this work, we resolve the question of $$mathsf {SIM}$$ -based security for $${mathsf {IPFE}}$$ by showing that variants of the $${mathsf {IPFE}}$$ constructions by Agrawal et al. , based on $$mathsf {DDH}$$ , Paillier and $$mathsf {LWE}$$ , satisfy the strongest possible adaptive $$mathsf {SIM}$$ -based security where the adversary can make an unbounded number of key requests both before and after seeing the (single) challenge ciphertext. This establishes optimal security of the $${mathsf {IPFE}}$$ schemes, under all hardness assumptions on which it can (presently) be based.

2019

CRYPTO

Attribute Based Encryption (and more) for Nondeterministic Finite Automata from LWE
📺
Abstract

Constructing Attribute Based Encryption (ABE) [56] for uniform models of computation from standard assumptions, is an important problem, about which very little is known. The only known ABE schemes in this setting that (i) avoid reliance on multilinear maps or indistinguishability obfuscation, (ii) support unbounded length inputs and (iii) permit unbounded key requests to the adversary in the security game, are by Waters from Crypto, 2012 [57] and its variants. Waters provided the first ABE for Deterministic Finite Automata (DFA) satisfying the above properties, from a parametrized or “q-type” assumption over bilinear maps. Generalizing this construction to Nondeterministic Finite Automata (NFA) was left as an explicit open problem in the same work, and has seen no progress to date. Constructions from other assumptions such as more standard pairing based assumptions, or lattice based assumptions has also proved elusive.In this work, we construct the first symmetric key attribute based encryption scheme for nondeterministic finite automata (NFA) from the learning with errors (LWE) assumption. Our scheme supports unbounded length inputs as well as unbounded length machines. In more detail, secret keys in our construction are associated with an NFA M of unbounded length, ciphertexts are associated with a tuple $$(\mathbf {x}, m)$$ where $$\mathbf {x}$$ is a public attribute of unbounded length and m is a secret message bit, and decryption recovers m if and only if $$M(\mathbf {x})=1$$.Further, we leverage our ABE to achieve (restricted notions of) attribute hiding analogous to the circuit setting, obtaining the first predicate encryption and bounded key functional encryption schemes for NFA from LWE. We achieve machine hiding in the single/bounded key setting to obtain the first reusable garbled NFA from standard assumptions. In terms of lower bounds, we show that secret key functional encryption even for DFAs, with security against unbounded key requests implies indistinguishability obfuscation ($$\mathsf {iO}$$) for circuits; this suggests a barrier in achieving full fledged functional encryption for NFA.

2019

TCC

Attribute Based Encryption for Deterministic Finite Automata from $\mathsf{DLIN}$
Abstract

Waters [Crypto, 2012] provided the first attribute based encryption scheme ABE for Deterministic Finite Automata (DFA) from a parametrized or “q-type” assumption over bilinear maps. Obtaining a construction from static assumptions has been elusive, despite much progress in the area of ABE.In this work, we construct the first attribute based encryption scheme for DFA from static assumptions on pairings, namely, the $$\mathsf{DLIN}$$ assumption. Our scheme supports unbounded length inputs, unbounded length machines and unbounded key requests. In more detail, secret keys in our construction are associated with a DFA M of unbounded length, ciphertexts are associated with a tuple $$(\mathbf {x}, \mathsf {\mu })$$ where $$\mathbf {x}$$ is a public attribute of unbounded length and $$\mathsf {\mu }$$ is a secret message bit, and decryption recovers $$\mathsf {\mu }$$ if and only if $$M(\mathbf {x})=1$$.Our techniques are at least as interesting as our final result. We present a simple compiler that combines constructions of unbounded ABE schemes for monotone span programs (MSP) in a black box way to construct ABE for DFA. In more detail, we find a way to embed DFA computation into monotone span programs, which lets us compose existing constructions (modified suitably) of unbounded key-policy ABE ($${\mathsf {kpABE}}$$) and unbounded ciphertext-policy ABE ($${\mathsf {cpABE}}$$) for MSP in a simple and modular way to obtain key-policy ABE for DFA. Our construction uses its building blocks in a symmetric way – by swapping the use of the underlying $${\mathsf {kpABE}}$$ and $${\mathsf {cpABE}}$$, we also obtain a construction of ciphertext-policy ABE for DFA.Our work extends techniques developed recently by Agrawal, Maitra and Yamada [Crypto 2019], which show how to construct ABE that support unbounded machines and unbounded inputs by combining ABE schemes that are bounded in one co-ordinate. At the heart of our work is the observation that unbounded, multi-use ABE for MSP already achieve most of what we need to build ABE for DFA.

2018

TCC

FE and iO for Turing Machines from Minimal Assumptions
Abstract

We construct Indistinguishability Obfuscation ($$\mathsf {iO}$$) and Functional Encryption ($$\mathsf {FE}$$) schemes in the Turing machine model from the minimal assumption of compact $$\mathsf {FE}$$ for circuits ($$\mathsf {CktFE}$$). Our constructions overcome the barrier of sub-exponential loss incurred by all prior work. Our contributions are:1.We construct $$\mathsf {iO}$$ in the Turing machine model from the same assumptions as required in the circuit model, namely, sub-exponentially secure $$\mathsf {FE}$$ for circuits. The previous best constructions [6, 41] require sub-exponentially secure $$\mathsf {iO}$$ for circuits, which in turn requires sub-exponentially secure $$\mathsf {FE}$$ for circuits [5, 15].2.We provide a new construction of single input $$\mathsf {FE}$$ for Turing machines with unbounded length inputs and optimal parameters from polynomially secure, compact $$\mathsf {FE}$$ for circuits. The previously best known construction by Ananth and Sahai [7] relies on $$\mathsf {iO}$$ for circuits, or equivalently, sub-exponentially secure $$\mathsf {FE}$$ for circuits.3.We provide a new construction of multi-input $$\mathsf {FE}$$ for Turing machines. Our construction supports a fixed number of encryptors (say k), who may each encrypt a string $$\mathbf {x}_i$$ of unbounded length. We rely on sub-exponentially secure $$\mathsf {FE}$$ for circuits, while the only previous construction [10] relies on a strong knowledge type assumption, namely, public coin differing inputs obfuscation.
Our techniques are new and from first principles, and avoid usage of sophisticated $$\mathsf {iO}$$ specific machinery such as positional accumulators and splittable signatures that were used by all relevant prior work [6, 7, 41].

#### Coauthors

- Shweta Agrawal (4)
- Benoît Libert (1)
- Radu Titiu (1)
- Shota Yamada (2)