Spooky encryption and its applications

Yevgeniy Dodis; Shai Halevi; Ron D. Rothblum; Daniel Wichs

doi:10.1007/978-3-662-53015-3_4

Spooky encryption and its applications

Yevgeniy Dodis, Shai Halevi, Ron D. Rothblum, Daniel Wichs

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Enc_pki (xi)}i, Alice outputs ciphertexts c’₁,…, c‘_n that decrypt to y1,…, y_n respectively. What relationships between the x_i’s and y_i’s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that y_i cannot depend on x_j for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each y_i can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y₁,…, y_n are random subject to ∑ⁿ _i=1 y_i = f(x₁,…, x_n). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.

Original language	English (US)
Title of host publication	Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings
Editors	Matthew Robshaw, Jonathan Katz
Publisher	Springer Verlag
Pages	93-122
Number of pages	30
ISBN (Print)	9783662530146
DOIs	https://doi.org/10.1007/978-3-662-53015-3_4
State	Published - 2016
Event	36th Annual International Cryptology Conference, CRYPTO 2016 - Santa Barbara, United States Duration: Aug 14 2016 → Aug 18 2016

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9816
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	36th Annual International Cryptology Conference, CRYPTO 2016
Country/Territory	United States
City	Santa Barbara
Period	8/14/16 → 8/18/16

ASJC Scopus subject areas

Theoretical Computer Science
Computer Science(all)

Access to Document

10.1007/978-3-662-53015-3_4

Cite this

Dodis, Y., Halevi, S., Rothblum, R. D., & Wichs, D. (2016). Spooky encryption and its applications. In M. Robshaw, & J. Katz (Eds.), Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings (pp. 93-122). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9816). Springer Verlag. https://doi.org/10.1007/978-3-662-53015-3_4

Spooky encryption and its applications. / Dodis, Yevgeniy; Halevi, Shai; Rothblum, Ron D.; Wichs, Daniel.

Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. ed. / Matthew Robshaw; Jonathan Katz. Springer Verlag, 2016. p. 93-122 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9816).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Dodis, Y, Halevi, S, Rothblum, RD & Wichs, D 2016, Spooky encryption and its applications. in M Robshaw & J Katz (eds), Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9816, Springer Verlag, pp. 93-122, 36th Annual International Cryptology Conference, CRYPTO 2016, Santa Barbara, United States, 8/14/16. https://doi.org/10.1007/978-3-662-53015-3_4

Dodis Y, Halevi S, Rothblum RD, Wichs D. Spooky encryption and its applications. In Robshaw M, Katz J, editors, Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. Springer Verlag. 2016. p. 93-122. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-662-53015-3_4

Dodis, Yevgeniy ; Halevi, Shai ; Rothblum, Ron D. ; Wichs, Daniel. / Spooky encryption and its applications. Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings. editor / Matthew Robshaw ; Jonathan Katz. Springer Verlag, 2016. pp. 93-122 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{51c5a9c0c7cc4d80b61cb4ff760fd449,

title = "Spooky encryption and its applications",

abstract = "Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Encpki (xi)}i, Alice outputs ciphertexts c{\textquoteright}1,…, c{\textquoteleft}n that decrypt to y1,…, yn respectively. What relationships between the xi{\textquoteright}s and yi{\textquoteright}s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that yi cannot depend on xj for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each yi can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y1,…, yn are random subject to ∑n i=1 yi = f(x1,…, xn). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.",

author = "Yevgeniy Dodis and Shai Halevi and Rothblum, {Ron D.} and Daniel Wichs",

note = "Funding Information: This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. The first author was partially supported by gifts from VMware Labs and Google, and NSF grants 1319051, 1314568, 1065288, 1017471. The second author was supported in part by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office(ARO) under Contract No. W911NF-15-C-0236. The third author was supported by NSF MACS - CNS-1413920, DARPA IBM - W911NF-15-C-0236, SIMONS Investigator award Agreement Dated 6-5-12 and DARPA NJIT - W911NF-15-C-0226. The last author was supported in part by NSF grants CNS-1347350, CNS-1314722, CNS-1413964. Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2016.; 36th Annual International Cryptology Conference, CRYPTO 2016 ; Conference date: 14-08-2016 Through 18-08-2016",

year = "2016",

doi = "10.1007/978-3-662-53015-3_4",

language = "English (US)",

isbn = "9783662530146",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "93--122",

editor = "Matthew Robshaw and Jonathan Katz",

booktitle = "Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings",

}

TY - GEN

T1 - Spooky encryption and its applications

AU - Dodis, Yevgeniy

AU - Halevi, Shai

AU - Rothblum, Ron D.

AU - Wichs, Daniel

N1 - Funding Information: This work was done in part while the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant #CNS-1523467. The first author was partially supported by gifts from VMware Labs and Google, and NSF grants 1319051, 1314568, 1065288, 1017471. The second author was supported in part by the Defense Advanced Research Projects Agency (DARPA) and Army Research Office(ARO) under Contract No. W911NF-15-C-0236. The third author was supported by NSF MACS - CNS-1413920, DARPA IBM - W911NF-15-C-0236, SIMONS Investigator award Agreement Dated 6-5-12 and DARPA NJIT - W911NF-15-C-0226. The last author was supported in part by NSF grants CNS-1347350, CNS-1314722, CNS-1413964. Publisher Copyright: © IFIP International Federation for Information Processing 2016.

PY - 2016

Y1 - 2016

N2 - Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Encpki (xi)}i, Alice outputs ciphertexts c’1,…, c‘n that decrypt to y1,…, yn respectively. What relationships between the xi’s and yi’s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that yi cannot depend on xj for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each yi can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y1,…, yn are random subject to ∑n i=1 yi = f(x1,…, xn). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.

AB - Consider encrypting n inputs under n independent public keys. Given the ciphertexts {ci = Encpki (xi)}i, Alice outputs ciphertexts c’1,…, c‘n that decrypt to y1,…, yn respectively. What relationships between the xi’s and yi’s can Alice induce? Motivated by applications to delegating computations, Dwork et al. [11] showed that a semantically secure scheme disallows signaling in this setting, meaning that yi cannot depend on xj for j ≠ i. On the other hand if the scheme is homomorphic then any local (component-wise) relationship is achievable, meaning that each yi can be an arbitrary function of xi. However, there are also relationships which are neither signaling nor local. Dwork et al. asked if it is possible to have encryption schemes that support such “spooky” relationships. Answering this question is the focus of our work. Our first result shows that, under the LWE assumption, there exist encryption schemes supporting a large class of “spooky” relationships, which we call additive function sharing (AFS) spooky. In particular, for any polynomial-time function f, Alice can ensure that y1,…, yn are random subject to ∑n i=1 yi = f(x1,…, xn). For this result, the public keys all depend on common public randomness. Our second result shows that, assuming sub-exponentially hard indistinguishability obfuscation (iO) (and additional more standard assumptions), we can remove the common randomness and choose the public keys completely independently. Furthermore, in the case of n = 2 inputs, we get a scheme that supports an even larger class of spooky relationships. We discuss several implications of AFS-spooky encryption. Firstly, it gives a strong counter-example to a method proposed by Aiello et al. [1] for building arguments for NP from homomorphic encryption. Secondly, it gives a simple 2-round multi-party computation protocol where, at the end of the first round, the parties can locally compute an additive secret sharing of the output. Lastly, it immediately yields a function secret sharing (FSS) scheme for all functions. We also define a notion of spooky-free encryption, which ensures that no spooky relationship is achievable. We show that any nonmalleable encryption scheme is spooky-free. Furthermore, we can construct spooky-free homomorphic encryption schemes from SNARKs, and it remains an open problem whether it is possible to do so from falsifiable assumptions.

UR - http://www.scopus.com/inward/record.url?scp=84979519913&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84979519913&partnerID=8YFLogxK

U2 - 10.1007/978-3-662-53015-3_4

DO - 10.1007/978-3-662-53015-3_4

M3 - Conference contribution

AN - SCOPUS:84979519913

SN - 9783662530146

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 93

EP - 122

BT - Advances in Cryptology - 36th Annual International Cryptology Conference, CRYPTO 2016, Proceedings

A2 - Robshaw, Matthew

A2 - Katz, Jonathan

PB - Springer Verlag

T2 - 36th Annual International Cryptology Conference, CRYPTO 2016

Y2 - 14 August 2016 through 18 August 2016

ER -

Spooky encryption and its applications

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this