Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions

We construct a general-purpose multi-input functional encryption scheme in the private-key setting. Namely, we construct a scheme where a functional key corresponding to a function f enables a user holding encryptions of \(x_1, \ldots , x_t\) to compute \(f(x_1, \ldots , x_t)\) but nothing else. This is achieved starting from any general-purpose private-key single-input scheme (without any additional assumptions) and is proven to be adaptively secure for any constant number of inputs t. Moreover, it can be extended to a super-constant number of inputs assuming that the underlying single-input scheme is sub-exponentially secure. Instantiating our construction with existing single-input schemes, we obtain multi-input schemes that are based on a variety of assumptions (such as indistinguishability obfuscation, multilinear maps, learning with errors, and even one-way functions), offering various trade-offs between security assumptions and functionality. Previous and concurrent constructions of multi-input functional encryption schemes either rely on stronger assumptions and provided weaker security guarantees (Goldwasser et al. in Advances in cryptology—EUROCRYPT, 2014; Ananth and Jain in Advances in cryptology—CRYPTO, 2015), or relied on multilinear maps and could be proven secure only in an idealized generic model (Boneh et al. in Advances in cryptology—EUROCRYPT, 2015). In comparison, we present a general transformation that simultaneously relies on weaker assumptions and guarantees stronger security.     

Function-Private Functional Encryption in the Private-Key Setting

Functional encryption supports restricted decryption keys that allow users to learn specific functions of the encrypted messages. Although the vast majority of research on functional encryption has so far focused on the privacy of the encrypted messages, in many realistic scenarios it is crucial to offer privacy also for the functions for which decryption keys are provided. Whereas function privacy is inherently limited in the public-key setting, in the private-key setting it has a tremendous potential. Specifically, one can hope to construct schemes where encryptions of messages \(\mathsf{m}_1, \ldots , \mathsf{m}_T\) together with decryption keys corresponding to functions \(f_1, \ldots , f_T\), reveal essentially no information other than the values \(\{ f_i(\mathsf{m}_j)\}_{i,j\in [T]}\). Despite its great potential, the known function-private private-key schemes either support rather limited families of functions (such as inner products) or offer somewhat weak notions of function privacy. We present a generic transformation that yields a function-private functional encryption scheme, starting with any non-function-private scheme for a sufficiently rich function class. Our transformation preserves the message privacy of the underlying scheme and can be instantiated using a variety of existing schemes. Plugging in known constructions of functional encryption schemes, we obtain function-private schemes based either on the learning with errors assumption, on obfuscation assumptions, on simple multilinear-maps assumptions, and even on the existence of any one-way function (offering various trade-offs between security and efficiency).     

Characterization of Security Notions for Probabilistic Private-Key Encryption

The development of precise definitions of security for encryption, as well as a detailed understanding of their relationships, has been a major area of research in modern cryptography. Here, we focus on the case of private-key encryption. Extending security notions from the public-key setting, we define security in the sense of both indistinguishability and non-malleability against chosen-plaintext and chosen-ciphertext attacks, considering both non-adaptive (i.e., ``lunchtime') and adaptive oracle access (adaptive here refers to an adversary's ability to interact with a given oracle even after viewing the challenge ciphertext). We then characterize the 18 resulting security notions in two ways. First, we construct a complete hierarchy of security notions; that is, for every pair of definitions we show whether one definition is stronger than the other, whether the definitions are equivalent, or whether they are incomparable. Second, we partition these notions of security into two classes (computational or information-theoretic) depending on whether one-way functions are necessary in order for encryption schemes satisfying the definition to exist. Perhaps our most surprising result is that security against adaptive chosen-plaintext attack is (polynomially) equivalent to security against non-adaptive chosen-plaintext attack. On the other hand, the ability of an adversary to mount a (non-adaptive) chosen-plaintext attack is the key feature distinguishing computational and information-theoretic notions of security. These results hold for all security notions considered here.     

Leakage-Resilient Cryptography from Minimal Assumptions

We present new constructions of leakage-resilient cryptosystems, which remain provably secure even if the attacker learns some arbitrary partial information about their internal secret-key. For any polynomial \(\ell \), we can instantiate these schemes so as to tolerate up to \(\ell \) bits of leakage. While there has been much prior work constructing such leakage-resilient cryptosystems under concrete number-theoretic and algebraic assumptions, we present the first schemes under general and minimal assumptions. In particular, we construct:

• Leakage-resilient public-key encryption from any standard public-key encryption.
• Leakage-resilient weak pseudorandom functions, symmetric-key encryption, and message-authentication codes from any one-way function.

These are the first constructions of leakage-resilient symmetric-key primitives that do not rely on public-key assumptions. We also get the first constructions of leakage-resilient public-key encryption from “search assumptions,” such as the hardness of factoring or CDH. Although our schemes can tolerate arbitrarily large amounts of leakage, the tolerated rate of leakage (defined as the ratio of leakage amount to key size) is rather poor in comparison with prior results under specific assumptions. As a building block of independent interest, we study a notion of weak hash-proof systems in the public-key and symmetric-key settings. While these inherit some of the interesting security properties of standard hash-proof systems, we can instantiate them under general assumptions.

     

Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting

Deterministic public-key encryption, introduced by Bellare, Boldyreva, and O’Neill (CRYPTO ’07), provides an alternative to randomized public-key encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful notion of security when the plaintext is distributed over a small set. Bellare et al. addressed this difficulty by requiring semantic security to hold only when the plaintext has high min-entropy from the adversary’s point of view. In many applications, however, an adversary may obtain auxiliary information that is related to the plaintext. Specifically, when deterministic encryption is used as a building block of a larger system, it is rather likely that plaintexts do not have high min-entropy from the adversary’s point of view. In such cases, the framework of Bellare et al. might fall short from providing robust security guarantees. We formalize a framework for studying the security of deterministic public-key encryption schemes with respect to auxiliary inputs. Given the trivial requirement that the plaintext should not be efficiently recoverable from the auxiliary input, we focus on hard-to-invert auxiliary inputs. Within this framework, we propose two schemes: the first is based on the d-linear assumption for any d≥1 (including, in particular, the decisional Diffie–Hellman assumption), and the second is based on a rather general class of subgroup indistinguishability assumptions (including, in particular, the quadratic residuosity assumption and Paillier’s composite residuosity assumption). Our schemes are secure with respect to any auxiliary input that is subexponentially hard to invert (assuming the standard hardness of the underlying computational assumptions). In addition, our first scheme is secure even in the multi-user setting where related plaintexts may be encrypted under multiple public keys. Constructing a scheme that is secure in the multi-user setting (even without considering auxiliary inputs) was identified by Bellare et al. as an important open problem.     

广电VOD点播中的节目加密方法

目前广电运营商将VOD业务作为首选的增值业务,为保证节目不被非法用户获取,保护数字电视节目版权,就需要对VOD数字电视节目进行加密。就目前广电以及电信行业可供使用的VOD加密方法进行阐述,同时对各种加密方式的加密及点播流程进行设计,为广电运营商开展VOD业务提供一种切实有效的发展思路。     

Implementation approaches for the Advanced Encryption Standard algorithm

This paper addresses various approaches for efficient hardware implementation of the Advanced Encryption Standard algorithm. The optimization methods can be divided into two classes: architectural optimization and algorithmic optimization. Architectural optimization exploits the strength of pipelining, loop unrolling and sub-pipelining. Speed is increased by processing multiple rounds simultaneously at the cost of increased area. Architectural optimization is not an effective solution infeed-back mode. Loop unrolling is the only architecture that can achieve a slight speedup with significantly increased area. In non-feedback mode, subpipelining can achieve maximum speedup and the best speed/area ratio. Algorithmic optimization exploits algorithmic strength inside each round unit. Various methods to reduce the critical path and area of each round unit are presented. Resource sharing issues between encryptor and decryptor are also discussed. They become important issues when both encryptor and decryptor need to be implemented in a small area.     

Universal Test Sets for the Standard Encryption Algorithm

This paper describes the test sets that were devised at the US National Bureau of Standards (NBS) for hardware implementations of the standard encryption algorithm. These tests consist of a validation test set, which is being used at NBS to certify the correctness of vendors' implementations of the algorithm, and a maintenance test set, which can be used to ensure reliability in the operation of such encryption devices in the field. Each of these test sets is universal in the sense that the tests are independent of any particular hardware implementation of the algorithm, but depend only on the abstract definition of the encryption function itself.     

On the Analysis of Cryptographic Assumptions in the Generic Ring Model

The generic ring model considers algorithms that operate on elements of an algebraic ring by performing only the ring operations and without exploiting properties of a given representation of ring elements. It is used to analyze the hardness of computational problems defined over rings. For instance, it is known that breaking RSA is equivalent to factoring in the generic ring model (Aggarwal and Maurer, Eurocrypt 2009). Do hardness results in the generic ring model support the conjecture that solving the considered problem is also hard in the standard model, where elements of ? _n are represented by integers modulo n? We prove in the generic ring model that computing the Jacobi symbol of an integer modulo n is equivalent to factoring. Since there are simple and efficient non-generic algorithms which compute the Jacobi symbol, this provides an example of a natural computational problem which is hard in the generic ring model, but easy to solve if elements of ? _n are given in their standard representation as integers. Thus, a proof in the generic ring model is unfortunately not a very strong indicator for the hardness of a computational problem in the standard model. Despite this negative result, generic hardness results still provide a lower complexity bound for a large class of algorithms, namely all algorithms solving a computational problem independent of a given representation of ring elements. From this point of view, results in the generic ring model are still interesting. Motivated by this fact, we also show that solving the quadratic residuosity problem generically is equivalent to factoring.     

BP网络用于信息加密存在的问题

针对Phong Nguyen提出的以误差后向传播网络为基础的伪公钥体制,指出了其在计算速度、保密性、灵活性和通用性以及信息扩展等方面所存在的问题和主要原因。     

关系数据库中字符数据的保序加密方法

对数值型数据保持顺序加密方法进行了分析,在此基础上提出了一种在关系数据库中针对字符数据的保序加密方法。详细阐述了其加密原理和密文索引结构,对重复性数据的加密处理和算法抗攻击性进行了分析。最后分别从时间开销、空间开销两个方面对算法进行了实验验证,实验结果表明该方法既保证了数据库安全性,又解决了加密数据库的查询性能问题。     

Chaotic Encryption for Belief Propagation Decoding in Massive MIMO Systems

Journal of Communications Technology and Electronics - In this paper, belief propagation (BP) iterative estimation of chaos-modulated signals is considered in massive multiple-input multiple-output...     

A Reliable Architecture for Parallel Implementations of the Advanced Encryption Standard

This paper presents an on-line self-test architecture for hardware implementation of the Advanced Encryption Standard (AES). The solution exploits the inherent spatial replications of a parallel architecture for implementing functional redundancy at low cost. We show that the solution is very effective for on-line fault detection while keeping the area overhead very low. Moreover, the architectural modification for on-line test does not weaken the device with respect to side-channel attacks based on power analysis.     

AES算法在PVR机顶盒中的应用研究

PVR机顶盒是数字电视新的发展趋势,作为运营商收入的主要来源,数字电视节目流的加密保护也得到越来越多的认识和重视。对利用AES算法加密高清数字电视PVR机顶盒中所存储的高清电视节目内容,实现版权保护进行研究。重点介绍AES算法的具体实现步骤和优化,及其在PVR机顶盒上的应用,用C语言完成该算法并对其在嵌入式环境和普通PC机上的执行效率进行了比较。     

Web网页口令设置技术

给Ｗｅｂ网页设置口令是一种高级网页设计技术。文章首先简单介绍了通过ＣＧＩ验证口令字的原理,然后详细介绍了利用ＪａｖａＳｃｒｉｐｔ在网页中设置口令的方法,并给出了相关的命令,源程序段及技术分析。     

Minimal order observers for linear functions of the state vector

The problem of estimating linear functions of a state vector in a multi-input/output system is considered. A simple lower bound on the observer order with arbitrary eigenvalues is established. Algorithms to construct minimal-order stable (or arbitrary dynamics) observers are also outlined.     

TLS中加密算法的安全性分析

阐述了TLS协议的握手过程中服务器端与客户端之间的交互,对其中关键的RC4加密技术即密钥调度算法（ KSA）、伪随机书生成算法（ PRGA）等进行分析,着重就目前的加密过程中伪随机书生成算法（ PRGA）存在的安全性问题进行分析。在猜测赋值分析方法基础上分析了PRGA初始状态已知值数量及分布规律与 RC4破解的复杂度的相关性。特定情况下,该方法能有效的破译RC4。