Pratish Datta

Functional Encryption for Inner Product with Full Function Privacy

Functional encryption FE supports constrained decryption keys that allow decrypters to learn specific functions of encrypted messages. In numerous practical applications of FE, confidentiality must be assured not only for the encrypted data but also for the functions for which functional keys are provided. This paper presents a non-generic simple private key FE scheme for the inner product functionality, also known as inner product encryption IPE. In contrast to the existing similar schemes, our construction achieves the strongest indistinguishability-based notion of function privacy in the private key setting without employing any computationally expensive cryptographic tool or non-standard complexity assumption. Our construction is built in the asymmetric bilinear pairing group setting of prime order. The security of our scheme is based on the well-studied Symmetric External Diffie-Hellman SXDH assumption.

Fully Secure Online/Offline Predicate and Attribute-Based Encryption

This paper presents the first fully secure online/offline predicate encryption (PE) and attribute-based encryption (ABE) schemes that split the computation required for encryption into two phases: A preparation phase that does the vast majority of the work to encrypt a message before knowing the actual message and the attributes or access control policy that will be used. A second phase can then rapidly assemble a ciphertext when the specifications become known. Our PE schemes support generalized inner-product predicates, while, our ABE scheme supports non-monotone access structures. All the proposed schemes are unbounded in the sense that the size of the public parameters is constant. The security of all the schemes are based on the Decisional Linear assumption. The best part of our constructions is that they exhibit better online performance despite of providing stronger security guarantees compared to the existing work.

Adaptively Secure Unrestricted Attribute-Based Encryption with Subset Difference Revocation in Bilinear Groups of Prime Order

Providing an efficient revocation mechanism for attribute-based encryption ABE is of utmost importance since over time a users credentials may be revealed or expired. All previously known revocable ABE RABE constructions a essentially utilize the complete subtree CS scheme for revocation purpose, b are restricted in the sense that the size of the public parameters depends linearly on the size of the attribute universe and logarithmically on the number of users in the system, and c are either selectively secure, which seems unrealistic in a dynamic system such as RABE, or fully secure but built in a composite order bilinear group setting, which results in high computational cost. This paper presents the first adaptively secure unrestricted RABE using subset difference SD mechanism for revocation which greatly improves the broadcast efficiency compared to the CS scheme. Our RABE scheme is built on a prime order bilinear group setting resulting in practical computation cost, and its security depends on the Decisional Linear assumption.

Full-Hiding (Unbounded) Multi-input Inner Product Functional Encryption from the k -Linear Assumption

This paper presents two non-generic and practically efficient private key multi-input functional encryption (MIFE) schemes for the multi-input version of the inner product functionality that are the first to achieve simultaneous message and function privacy, namely, the full-hiding security for a non-trivial multi-input functionality under well-studied cryptographic assumptions. Our MIFE schemes are built in bilinear groups of prime order, and their security is based on the standard k-Linear (k-LIN) assumption (along with the existence of semantically secure symmetric key encryption and pseudorandom functions). Our constructions support polynomial number of encryption slots (inputs) without incurring any super-polynomial loss in the security reduction. While the number of encryption slots in our first scheme is apriori bounded, our second scheme can withstand an arbitrary number of encryption slots. Prior to our work, there was no known MIFE scheme for a non-trivial functionality, even without function privacy, that can support an unbounded number of encryption slots without relying on any heavy-duty building block or little-understood cryptographic assumption.

Compact Attribute-Based Encryption and Signcryption for General Circuits from Multilinear Maps

In this paper, we start by presenting a key-policy attribute-based encryption ABE supporting general polynomial-size circuit realizable decryption policies and featuring compactness in the sense that our ABE construction exhibits short ciphertexts and shorter decryption keys compared to existing similar works. We then design a key-policy attribute-based signcryption ABSC scheme which enjoys several interesting properties that were never achievable before. It supports signing and decryption policies representable as arbitrary polynomial-size circuits. Besides, it generates short ciphertext. Our constructions employ multilinear map and achieve selective security in the standard model under standard complexity assumptions. More interestingly, our key-policy constructions can be converted to the corresponding ciphertext-policy variants achieving short ciphertext by utilizing the technique of universal circuits.

Functional Signcryption: Notion, Construction, and Applications

Functional encryption FE enables sophisticated control over decryption rights in a multi-user scenario, while functional signature FS allows to enforce complex constraints on signing capabilities. This paper introduces the concept of functional signcryption FSC that aims to provide the functionalities of both FE and FS in an unified cost-effective primitive. FSC provides a solution to the problem of achieving confidentiality and authenticity simultaneously in digital communication and storage systems involving multiple users with better efficiency compared to a sequential implementation of FE and FS. We begin by providing formal definition of FSC and formulating its security requirements. Next, we present a generic construction of this challenging primitive that supports arbitrary polynomial-size signing and decryption functions from known cryptographic building blocks, namely, indistinguishability obfuscation IO and statistically simulation-sound non-interactive zero-knowledge proof of knowledge SSS-NIZKPoK. Finally, we exhibit a number of representative applications of FSC: I We develop the first construction of attribute-based signcryption ABSC supporting signing and decryption policies representable by general polynomial-size circuits from FSC. II We show how FSC can serve as a tool for building SSS-NIZKPoK system and IO, a result which in conjunction with our generic FSC construction can also be interpreted as establishing an equivalence between FSC and the other two fundamental cryptographic primitives.

General Circuit Realizing Compact Revocable Attribute-Based Encryption from Multilinear Maps

This paper demonstrates new technique for managing revocation in the context of attribute-based encryption ABE and presents two selectively secure directly revocable ABE RABE constructionssupporting decryption policies realizable by polynomial size Boolean circuits of arbitrary fan-out andfeaturing compactness in the sense that the number of revocation controlling components in ciphertexts and decryption keys are constant. In fact, our RABE schemes are the first to achieve these parameters. Both our constructions utilize multilinear maps. The size of public parameter in our first construction is linear to the maximum number of users supported by the system while in the second construction we reduce it to logarithmic.

Fully Secure Self-Updatable Encryption in Prime Order Bilinear Groups

In CRYPTO 2012, Sahai et al. raised the concern that in a cloud control system revocation of past keys should also be accompanied by updation of previously generated ciphertexts in order to prevent unread ciphertexts from being read by revoked users. Self-updatable encryption (SUE), introduced by Lee et al. in ASIACRYPT 2013, is a newly developed cryptographic primitive that realizes ciphertext update as an inbuilt functionality and thus improves the efficiency of key revocation and time evolution in cloud management. In SUE, a user can decrypt a ciphertext associated with a specific time if and only if the user possesses a private key corresponding to either the same time as that of the ciphertext or some future time. Furthermore, a ciphertext attached to a certain time can be updated to a new one attached to a future time using only public information. The SUE schemes available in the literature are either (a) fully secure but developed in a composite order bilinear group setting under highly non-standard assumptions or (b) designed in prime order bilinear groups but only selectively secure. This paper presents the first fully secure SUE scheme in prime order bilinear groups under standard assumptions, namely, the Decisional Linear and the Decisional Bilinear Diffie-Hellman assumptions. As pointed out by Freeman (EUROCRYPT 2010) and Lewko (EUROCRYPT 2012), the communication and storage, as well as, computational efficiency of prime order bilinear groups are much higher compared to that of composite order bilinear groups with an equivalent level of security. Consequently, our SUE scheme is highly cost-effective than the existing fully secure SUE.

Constrained Pseudorandom Functions for Unconstrained Inputs Revisited: Achieving Verifiability and Key Delegation

In EUROCRYPT 2016, Deshpande et al. presented a construction of constrained pseudorandom function CPRF supporting inputs of unconstrained polynomial length based on indistinguishability obfuscation and injective pseudorandom generators. Their construction was claimed to be selectively secure. We demonstrate in this paper that their CPRF construction can actually be proven secure not in the selective model, rather in a significantly weaker security model where the adversary is forbidden to query constrained keys adaptively. We also show how to allow adaptive constrained key queries in their construction by innovating new technical ideas. We suitably redesign the security proof. We emphasize that our modification does not involve any additional heavy duty cryptographic tool. Our improved CPRF is further enhanced to present the first constructions of constrained verifiable pseudorandom function CVPRF and delegatable constrained pseudorandom function DCPRF supporting inputs of unconstrained polynomial length, employing only standard public key encryption PKE.

A Probabilistic Algebraic Attack on the Grain Family of Stream Ciphers

In 2005, Hell, Johansson and Meier submitted a stream cipher proposal named Grain v1 to the estream call for stream cipher proposals and it also became one estream finalists in the hardware category. The output function of Grain v1 connects its 160 bits internal state divided equally between an LFSR and an NFSR, using a non-linear filter function in a complex way. Over the last years many cryptanalyst identified several weaknesses in Grain v1. As a result in 2011 the inventors modified Grain v1 and published a new version of Grain named Grain-128a which has a similar structure as Grain v1 but with a 256 bits internal state with an optional authentication is the latest version of Grain family resisting all known attacks on Grain v1. However both these ciphers are quite resistant against the classical algebraic attack due to the rapid growth of the degree of the key-stream equations in subsequent clockings caused by the NFSR. This paper presents a probabilistic algebraic attack on both these Grain versions. The basic idea of our attack is to develop separate probabilistic equations for the LFSR and the NFSR bits from each key-stream equations. Surprisingly it turns out that in case of Grain-128a our proposed equations hold with all most sure probability, which makes the sure retrieval of the LFSR bits. We also outline a technique to reduce the growth of degree of the equations involving the NFSR bits for Grain v1. Further we highlight that the concept of probabilistic algebraic attack as proposed in this paper can be considered as a generic attack strategy against any stream cipher having similar structure of the output function as in case of the Grain family.