From Minicrypt to Obfustopia via Private-Key Functional Encryption

Abstract

Private-key functional encryption enables fine-grained access to symmetrically encrypted data. Although private-key functional encryption (supporting an unbounded number of keys and ciphertexts) seems significantly weaker than its public-key variant, its known realizations all rely on public-key functional encryption. At the same time, however, up until recently it was not known to imply any public-key primitive, demonstrating our poor understanding of this primitive. Bitansky et al. (Theory of cryptography—14th international conference, TCC 2016-B, 2016) showed that sub-exponentially secure private-key function encryption bridges from nearly exponential security in Minicrypt to slightly super-polynomial security in Cryptomania, and from sub-exponential security in Cryptomania to Obfustopia. Specifically, given any sub-exponentially secure private-key functional encryption scheme and a nearly exponentially secure one-way function, they constructed a public-key encryption scheme with slightly super-polynomial security. Assuming, in addition, a sub-exponentially secure public-key encryption scheme, they then constructed an indistinguishability obfuscator (or a public-key functional encryption scheme if the given building blocks are polynomially secure).

We show that quasi-polynomially secure private-key functional encryption bridges from sub-exponential security in Minicrypt all the way to Cryptomania. First, given any quasi-polynomially secure private-key functional encryption scheme, we construct an indistinguishability obfuscator for circuits with inputs of poly-logarithmic length. Then, we observe that such an obfuscator can be used to instantiate many natural applications of indistinguishability obfuscation. Specifically, relying on sub-exponentially secure one-way functions, we show that quasi-polynomially secure private-key functional encryption implies not just public-key encryption but leads all the way to public-key functional encryption for circuits with inputs of poly-logarithmic length. Moreover, relying on sub-exponentially secure injective one-way functions, we show that quasi-polynomially secure private-key functional encryption implies a hard-on-average distribution over instances of a PPAD-complete problem. Underlying our constructions is a new transformation from single-input functional encryption to multi-input functional encryption in the private-key setting. The previously known such transformation (Brakerski et al. J Cryptol 31(2):434–520, 2018) required a sub-exponentially secure single-input scheme, and obtained a scheme supporting only a slightly super-constant number of inputs. Our transformation both relaxes the underlying assumption and supports more inputs: Given any quasi-polynomially secure single-input scheme, we obtain a scheme supporting a poly-logarithmic number of inputs.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Notes

  1. 1.

    As a concrete (yet quite general) example, consider a user who stores her data on a remote server: The user uses the master secret key both for encrypting her data, and for generating functional keys that will enable the server to offer her various useful services.

  2. 2.

    This is not true in various restricted cases, for example, when the functional encryption scheme has to support an a priori bounded number of functional keys or ciphertexts [39]. However, as mentioned, we focus on schemes that support an unbounded number of functional keys and ciphertexts.

  3. 3.

    This holds even if the construction is allowed to generate functional keys (in a non-black-box manner) for any circuit that invokes one-way functions in a black-box manner.

  4. 4.

    Bitansky et al. overcome the black-box barrier introduced by Asharov and Segev [8] by relying on the non-black-box construction of a private-key multi-input functional encryption scheme of Brakerski et al. [13].

  5. 5.

    In this work, we focus on selectively secure schemes, where an adversary first submits all of its encryption queries, and can then adaptively interact with the key-generation oracle (see Definition 2.7). This notion of security suffices for the applications we consider in this paper.

  6. 6.

    A similar strategy was also employed by Ananth and Jain [4] that showed how to use any t-input private-key scheme to get a private-key \((t+1)\)-input scheme under the additional assumption that a public-key functional encryption scheme exists. Their construction, however, did not incur the polynomial blowup and could be applied all the way to get a scheme that supports a polynomial number of inputs.

  7. 7.

    We note that the notion of function privacy is very different from the one in the private-key setting, and in particular, natural definitions already imply obfuscation.

  8. 8.

    We focus on selective security and do not define full security since there is a generic transformation [3].

  9. 9.

    The injective one-way function can be relaxed to be a family of one-way functions such that a random element is an injective function with high probability. Furthermore, this primitive will not be used in the construction, but rather only in the proof of security.

References

  1. 1.

    S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasubramanian, M. Prabhakaran, A. Sahai, Function private functional encryption and property preserving encryption: new definitions and positive results. Cryptology ePrint Archive, Report 2013/744 (2013)

  2. 2.

    P. Ananth, D. Boneh, S. Garg, A. Sahai, M. Zhandry, Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689 (2013)

  3. 3.

    P. Ananth, Z. Brakerski, G. Segev, V. Vaikuntanathan, From selective to adaptive security in functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 657–677

  4. 4.

    P. Ananth, A. Jain, Indistinguishability obfuscation from compact functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 308–326

  5. 5.

    P. Ananth, A. Jain, M. Naor, A. Sahai, E. Yogev, Universal constructions and robust combiners for indistinguishability obfuscation and witness encryption, in Advances in Cryptology—CRYPTO ’16 (2016), pp. 491–520

  6. 6.

    P. Ananth, A. Jain, A. Sahai, Achieving compactness generically: indistinguishability obfuscation from non-compact functional encryption. Cryptology ePrint Archive, Report 2015/730 (2015)

  7. 7.

    T. Abbot, D. Kane, P. Valiant, On algorithms for Nash equilibria (2004)

  8. 8.

    G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption. SIAM J. Comput., 45(6), 2117–2176 (2016)

    MathSciNet  Article  Google Scholar 

  9. 9.

    E. Boyle, K. Chung, R. Pass, On extractability obfuscation, in Proceedings of the 11th Theory of Cryptography Conference, TCC (2014), pp. 52–73

  10. 10.

    Z. Brakerski, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi, Cryptanalysis of the quadratic zero-testing of GGH. Cryptology ePrint Archive, Report 2015/845 (2015)

  11. 11.

    B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM, 59(2), 6 (2012)

    MathSciNet  Article  Google Scholar 

  12. 12.

    E. Boyle, S. Goldwasser, I. Ivan, Functional signatures and pseudorandom functions, in Proceedings of the 17th International Conference on Practice and Theory in Public-Key Cryptography (2014), pp. 501–519

  13. 13.

    Z. Brakerski, I. Komargodski, G. Segev, Multi-input functional encryption in the private-key setting: stronger security from weaker assumptions. J. Cryptol., 31(2), 434–520 (2018)

    MathSciNet  Article  Google Scholar 

  14. 14.

    D. Boneh, K. Lewi, M. Raykova, A. Sahai, M. Zhandry, J. Zimmerman, Semantically secure order-revealing encryption: Multi-input functional encryption without obfuscation, in Advances in Cryptology—EUROCRYPT ’15 (2015), pp. 563–594

  15. 15.

    N. Bitansky, R. Nishimaki, A. Passelègue, D. Wichs, From Cryptomania to Obfustopia through secret-key functional encryption, in Theory of Cryptography—14th International Conference, TCC 2016-B (2016), pp. 391–418

  16. 16.

    N. Bitansky, O. Paneth, A. Rosen, On the cryptographic hardness of finding a Nash equilibrium, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science (2015), pp. 1480–1498

  17. 17.

    D. Boneh, A. Raghunathan, G. Segev, Function-private identity-based encryption: hiding the function in functional encryption, in Advances in Cryptology—CRYPTO ’13 (2013), pp. 461–478

  18. 18.

    D. Boneh, A. Raghunathan, G. Segev, Function-private subspace-membership encryption and its applications, in Advances in Cryptology—ASIACRYPT ’13 (2013), pp. 255–275

  19. 19.

    Z. Brakerski, G. Segev, Function-private functional encryption in the private-key setting, in Proceedings of the 12th Theory of Cryptography Conference, TCC (2015), pp. 306–324

  20. 20.

    D. Boneh, A. Sahai, B. Waters, Functional encryption: definitions and challenges, in Proceedings of the 8th Theory of Cryptography Conference, TCC (2011), pp. 253–273

  21. 21.

    D. Boneh, A. Sahai, B. Waters, Functional encryption: a new vision for public-key cryptography. Commun. ACM, 55(11), 56–64 (2012)

    Article  Google Scholar 

  22. 22.

    N. Bitansky, V. Vaikuntanathan, Indistinguishability obfuscation from functional encryption, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science (2015), pp. 171–190

  23. 23.

    D. Boneh, B. Waters, Constrained pseudorandom functions and their applications, in Advances in Cryptology—ASIACRYPT ’13 (2013), pp. 280–300

  24. 24.

    X. Chen, X. Deng, S. Teng, Settling the complexity of computing two-player Nash equilibria. J. ACM, 56(3), 14 (2009)

    MathSciNet  Article  Google Scholar 

  25. 25.

    J.H. Cheon, P. Fouque, C. Lee, B. Minaud, H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers, in Advances in Cryptology—EUROCRYPT (2016), pp. 509–536

  26. 26.

    J. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without low-level zeroes: new MMAP attacks and their limitations, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 247–266

  27. 27.

    J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in Advances in Cryptology—EUROCRYPT ’15 (2015), pp. 3–12

  28. 28.

    J.H. Cheon, J. Jeong, C. Lee, An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016)

  29. 29.

    C. Daskalakis, P. W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium. Commun. ACM, 52(2), 89–97 (2009)

    Article  Google Scholar 

  30. 30.

    C. Daskalakis, P.W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium. SIAM J. Comput., 39(1), 195—259 (2009)

    MathSciNet  Article  Google Scholar 

  31. 31.

    C. Daskalakis, C.H. Papadimitriou, Continuous local search, in Proceedings of the 22nd Annual ACM-SIAM Symposium on Discrete Algorithms (2011), pp. 790–804

  32. 32.

    S. Goldwasser, S.D. Gordon, V. Goyal, A. Jain, J. Katz, F.-H. Liu, A. Sahai, E. Shi, H.-S. Zhou, Multi-input functional encryption, in Advances in Cryptology—EUROCRYPT ’14 (2014), pp. 578–602

  33. 33.

    S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science (2013), pp. 40–49

  34. 34.

    S. Garg, C. Gentry, S. Halevi, M. Zhandry, Functional encryption without obfuscation, in Proceedings of the 13th Theory of Cryptography Conference, TCC (2016), pp. 480–511

  35. 35.

    O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM, 33(4), 792-807 (1986)

    MathSciNet  Article  Google Scholar 

  36. 36.

    S. Goldwasser, Y. Kalai, R.A. Popa, V. Vaikuntanathan, N. Zeldovich, Reusable garbled circuits and succinct functional encryption, in Proceedings of the 45th Annual ACM Symposium on Theory of Computing (2013), pp. 555–564

  37. 37.

    S. Garg, O. Pandey, A. Srinivasan, Revisiting the cryptographic hardness of finding a Nash equilibrium, in Advances in Cryptology—CRYPTO ’16 (2016), pp. 579–604

  38. 38.

    S. Garg, A. Srinivasan, Single-key to multi-key functional encryption with polynomial loss, in Theory of Cryptography—14th International Conference, TCC (2016), pp. 419–442

  39. 39.

    S. Gorbunov, V. Vaikuntanathan, H. Wee, Functional encryption with bounded collusions via multi-party computation, in Advances in Cryptology—CRYPTO ’12 (2012), pp. 162–179

  40. 40.

    Y. Hu, H. Jia, Cryptanalysis of GGH map, in Advances in Cryptology—EUROCRYPT (2016), pp. 537–565

  41. 41.

    P. Hubácek, E. Yogev, Hardness of continuous local search: Query complexity and cryptographic lower bounds, in Proceedings of the 28th Annual ACM-SIAM Symposium on Discrete Algorithms, SODA (2017), pp. 1352–1371

  42. 42.

    R. Impagliazzo, A personal view of average-case complexity, in Proceedings of the 10th Annual Structure in Complexity Theory Conference (1995), pp. 134–147

  43. 43.

    I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in Proceedings of the 55th Annual IEEE Symposium on Foundations of Computer Science (2014), pp. 374–383

  44. 44.

    F. Kitagawa, R. Nishimaki, K. Tanaka, Obfustopia built on secret-key functional encryption, in Advances in Cryptology—EUROCRYPT (2018), pp. 603–648

  45. 45.

    A. Kiayias, S. Papadopoulos, N. Triandopoulos, T. Zacharias, Delegatable pseudorandom functions and applications, in Proceedings of the 20th Annual ACM Conference on Computer and Communications Security (2013), pp. 669–684

  46. 46.

    I. Komargodski, G. Segev, E. Yogev, Functional encryption for randomized functionalities in the private-key setting from minimal assumptions. J. Cryptol., 31(1), 60–100 (2018)

    MathSciNet  Article  Google Scholar 

  47. 47.

    B. Li, D. Micciancio, Compactness vs collusion resistance in functional encryption, in Theory of Cryptography—14th International Conference, TCC (2016), pp. 443–468

  48. 48.

    E. Miles, A. Sahai, M. Zhandry, Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13, in Advances in Cryptology—CRYPTO (2016), pp. 629–658

  49. 49.

    A. O’Neill, Definitional issues in functional encryption. Cryptology ePrint Archive, Report 2010/556 (2010)

  50. 50.

    C.H. Papadimitriou, On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci., 48(3), 498-532 (1994)

    MathSciNet  Article  Google Scholar 

  51. 51.

    E. Shen, E. Shi, B. Waters, Predicate privacy in encryption systems, in Proceedings of the 6th Theory of Cryptography Conference, TCC (2009), pp. 457–473

  52. 52.

    A. Sahai, B. Waters, Slides on functional encryption (2008). http://www.cs.utexas.edu/~bwaters/presentations/files/functional.ppt

  53. 53.

    A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in Proceedings of the 46th Annual ACM Symposium on Theory of Computing (2014), pp. 475–484

  54. 54.

    B. Waters, A punctured programming approach to adaptively secure functional encryption, in Advances in Cryptology—CRYPTO ’15 (2015), pp. 678–697

Download references

Acknowledgements

We thank Zvika Brakerski and the anonymous referees for many valuable comments. The first author thanks his advisor Moni Naor for his support and guidance.

Author information

Affiliations

Authors

Corresponding author

Correspondence to Ilan Komargodski.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Ilan Komargodski: Supported in part by a Packard Foundation Fellowship and by an AFOSR Grant FA9550-15-1-0262. Work done while being a Ph.D. student at the Weizmann Institute of Science, supported by grants from the Israel Science Foundation (No. 950/16) and by a Levzion Fellowship.

Gil Segev: Supported by the European Union’s 7th Framework Program (FP7) via a Marie Curie Career Integration Grant, by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), by the US-Israel Binational Science Foundation (Grant No. 2014632), and by a Google Faculty Research Award.

Communicated by Rafail Ostrovsky.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Komargodski, I., Segev, G. From Minicrypt to Obfustopia via Private-Key Functional Encryption. J Cryptol 33, 406–458 (2020). https://doi.org/10.1007/s00145-019-09327-x

Download citation

Keywords

  • Private-key functional encryption
  • Multi-input functional encryption
  • PPAD hardness
  • Indistinguishability obfuscation