TY - GEN
T1 - Spooky encryption and its applications
AU - Dodis, Yevgeniy
AU - Halevi, Shai
AU - Rothblum, Ron D.
AU - Wichs, Daniel
PY - 2016
Y1 - 2016
N2 - Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Encpki (xi)}i, Alice outputs ciphertexts c’1,…, c‘n that decrypt to y1,…, yn respectively. What relationships between the xi’s and yi’s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that yi cannot depend on xj for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each yi can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y1,…, yn are random subject to ∑n i=1 yi = f(x1,…, xn). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.
AB - Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Encpki (xi)}i, Alice outputs ciphertexts c’1,…, c‘n that decrypt to y1,…, yn respectively. What relationships between the xi’s and yi’s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that yi cannot depend on xj for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each yi can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y1,…, yn are random subject to ∑n i=1 yi = f(x1,…, xn). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.
UR - http://www.scopus.com/inward/record.url?scp=84979519913&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84979519913&partnerID=8YFLogxK
U2 - 10.1007/978-3-662-53015-3_4
DO - 10.1007/978-3-662-53015-3_4
M3 - Conference contribution
AN - SCOPUS:84979519913
SN - 9783662530146
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 93
EP - 122
BT - Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings
A2 - Robshaw, Matthew
A2 - Katz, Jonathan
PB - Springer Verlag
T2 - 36th Annual International Cryptology Conference, CRYPTO 2016
Y2 - 14 August 2016 through 18 August 2016
ER -