Adaptively Secure and Succinct Functional Encryption: Improving Security and Efficiency, Simultaneously

Kitagawa, Fuyuki; Nishimaki, Ryo; Tanaka, Keisuke; Yamakawa, Takashi

doi:10.1007/978-3-030-26954-8_17

Cited by 18 publications

(4 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our main technical insight is that we can combine the one-time secure SKE with certified deletion of [BI20] and plain PKE to construct PKE with certified deletion by a simple hybrid encryption technique if the latter satisfies receiver non-committing (RNC) security [CFGN96,JL00,CHK05]. Since it is known that PKE/SKE with RNC security can be constructed from any IND-CPA secure PKE/SKE [CHK05,KNTY19], our first result follows.…”

Section: Pke and Abe With Certified Deletion And Quantum Communicationmentioning

confidence: 94%

“…If we use secret key RNCE instead of public key RNCE, we can achieve reusable SKE with certified deletion via the design idea above. Secret/public key RNCE can be constructed from IND-CPA SKE/PKE, respectively [CHK05,KNTY19], and SKE with certified deletion exists unconditionally [BI20]. Thus, we can achieve PKE (resp.…”

Section: Encmentioning

confidence: 99%

“…Our NCABE construction follows the RNCE construction based on IND-CPA PKE [CHK05,KNTY19]. However, the crucial difference between the PKE and ABE settings is that, in the ABE setting, adversaries are given many secret keys for queried policies (that is, we consider collusion-resistance).…”

Section: Encmentioning

confidence: 99%

See 2 more Smart Citations

Quantum Encryption with Certified Deletion, Revisited: Public Key, Attribute-Based, and Classical Communication

Hiroka,

Morimae,

Nishimaki

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Broadbent and Islam (TCC '20) proposed a quantum cryptographic primitive called quantum encryption with certified deletion. In this primitive, a receiver in possession of a quantum ciphertext can generate a classical certificate that the encrypted message is deleted. Although their construction is information-theoretically secure, it is limited to the setting of one-time symmetric key encryption (SKE), where a sender and receiver have to share a common key in advance and the key can be used only once. Moreover, the sender has to generate a quantum state and send it to the receiver over a quantum channel in their construction. Although deletion certificates are privately verifiable, which means a verification key for a certificate has to be kept secret, in the definition by Broadbent and Islam, we can also consider public verifiability.In this work, we present various constructions of encryption with certified deletion. * This is a major update version of the paper by Nishimaki and Yamakawa [NY21] with many new results.one-shot signatures prevents decryption of witness encryption after issuing a valid deletion certificate. Georgiou and Zhandry [GZ20] used a similar combination of one-shot signatures and witness encryption to construct unclonable decryption keys. Related workBefore the work by Broadbent and Islam [BI20], Fu and Miller [FM18] and Coiteux-Roy and Wolf [CRW19] also studied the concept of certifying deletion of information in different settings. (See [BI20] for the comparison with these works.)The quantum encryption scheme with certified deletion by Broadbent and Islam [BI20] is based on Wiesner's conjugate coding, which is the backbone of quantum money [Wie83] and quantum key distribution [BB84]. A similar idea has been used in many constructions in quantum cryptography that include (but not limited to) revocable quantum timed-release encryption [Unr15], uncloneable quantum encryption [BL20], single-decryptor encryption [GZ20], and copy protection/secure software leasing [CMP20]. Among them, revocable quantum timed-release encryption is conceptually similar to quantum encryption with certified deletion. In this primitive, a receiver can decrypt a quantum ciphertext only after spending a certain amount of time T . The receiver can also choose to return the ciphertext before the time T is over, in which case it is ensured that the message can no longer be recovered. As observed by Broadbent and Islam [BI20], an essential difference from quantum encryption with certified deletion is that the revocable quantum timed-release encryption does not have a mechanism to generate a classical certificate of deletion. Moreover, the construction by Unruh [Unr15] heavily relies on the random oracle heuristic [BR97, BDF + 11], and there is no known construction without random oracles.Kundu and Tan [KT20] constructed (one-time symmetric key) quantum encryption with certified deletion with the device-independent security, i.e., the security holds even if quantum devices are untrusted. Moreover, they show that their cons...

show abstract

Section: Pke and Abe With Certified Deletion And Quantum Communicationmentioning

confidence: 94%

Section: Encmentioning

confidence: 99%

See 1 more Smart Citation

Quantum Encryption with Certified Deletion, Revisited: Public Key, Attribute-Based, and Classical Communication

Hiroka,

Morimae,

Nishimaki

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…In this section, we construct a certified everlasting RNCE scheme from a certified everlasting PKE scheme (Definition 4.1). Our construction is similar to that of the secret-key RNCE scheme presented in [KNTY19]. The difference is that we use a certified everlasting PKE scheme instead of an ordinary SKE scheme.…”

Section: Constructionmentioning

confidence: 99%

Certified Everlasting Functional Encryption

Hiroka¹,

Morimae²,

Nishimaki³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Computational security in cryptography has a risk that computational assumptions underlying the security are broken in the future. One solution is to construct information-theoretically-secure protocols, but many cryptographic primitives are known to be impossible (or unlikely) to have information-theoretical security even in the quantum world. A nice compromise (intrinsic to quantum) is certified everlasting security, which roughly means the following. A receiver with possession of quantum encrypted data can issue a certificate that shows that the receiver has deleted the encrypted data. If the certificate is valid, the security is guaranteed even if the receiver becomes computationally unbounded. Although several cryptographic primitives, such as commitments and zero-knowledge, have been made certified everlasting secure, there are many other important primitives that are not known to be certified everlasting secure.In this paper, we introduce certified everlasting FE. In this primitive, the receiver with the ciphertext of a message m and the functional decryption key of a function f can obtain f (m) and nothing else. The security holds even if the adversary becomes computationally unbounded after issuing a valid certificate. We, first, construct certified everlasting FE for P/poly circuits where only a single key query is allowed for the adversary. We, then, extend it to q-bounded one for NC 1 circuits where q-bounded means that q key queries are allowed for the adversary with an a priori bounded polynomial q. For the construction of certified everlasting FE, we introduce and construct certified everlasting versions of secret-key encryption, public-key encryption, receiver non-committing encryption, and a garbling scheme, which are of independent interest. A Proof ofTheorem 5.6 B Proof of Theorem 6.7 C Proof of Theorem 7.10 D Proof of Theorem 7.12 E Proof of Theorem 7.14 model (QROM) [BDF + 11]. On the other hand, in the second construction, the security holds without relying on the QROM, but the certificate is quantum.3. We construct certified everlasting RNCE from certified everlasting PKE in a black-box way (Section 5.2).4. We construct a certified everlasting garbling scheme for all P/poly circuits from certified everlasting SKE in a black-box way (Section 6.2).5. We construct 1-bounded certified everlasting FE with adaptive security for all P/poly circuits. The adaptive security means that the adversary can call key queries before and after seeing the challenge ciphertext. The 1-bounded means that only a single key query is allowed for the adversary. The construction is done in the following two steps. First, we construct 1-bounded certified everlasting FE with non-adaptive security for all P/poly circuits from a certified everlasting garbling scheme and certified everlasting PKE in a black-box way (Section 7.2). Second, we change it to the adaptively-secure one by using certified everlasting RNCE in a black-box way (Section 7.3).6. We construct q-bounded certified everlasting FE with adaptive security fo...

show abstract

Compact Adaptively Secure ABE from k-Lin: Beyond $$\mathsf {NC}^1$$ and Towards $$\mathsf {NL}$$

Lin

Luo

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Adaptively Secure and Succinct Functional Encryption: Improving Security and Efficiency, Simultaneously

Cited by 18 publications

References 48 publications

Quantum Encryption with Certified Deletion, Revisited: Public Key, Attribute-Based, and Classical Communication

Quantum Encryption with Certified Deletion, Revisited: Public Key, Attribute-Based, and Classical Communication

Certified Everlasting Functional Encryption

Compact Adaptively Secure ABE from k-Lin: Beyond $$\mathsf {NC}^1$$ and Towards $$\mathsf {NL}$$

Contact Info

Product

Resources

About