LNCS 9986 Martin Hirt Adam Smith (Eds.) Theory of Cryptography 14th International Conference, TCC 2016-B Beijing, China, October 31 – November 3, 2016 Proceedings, Part ll 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9986 More information about this series at http://www.springer.com/series/7410 Martin Hirt Adam Smith (Eds.) • Theory of Cryptography 14th International Conference, TCC 2016-B Beijing, China, October 31 – November 3, 2016 Proceedings, Part II 123 Editors Martin Hirt Department of Computer Science ETH Zurich Zurich Switzerland Adam Smith Pennsylvania State University University Park, PA USA ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-662-53643-8 ISBN 978-3-662-53644-5 (eBook) DOI 10.1007/978-3-662-53644-5 Library of Congress Control Number: 2016954934 LNCS Sublibrary: SL4 – Security and Cryptology © International Association for Cryptologic Research 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer-Verlag GmbH Germany The registered company address is: Heidelberger Platz 3, 14197 Berlin, Germany Preface The 14th Theory of Cryptography Conference (TCC 2016-B) was held October 31 to November 3, 2016, at the Beijing Friendship Hotel in Beijing, China It was sponsored by the International Association for Cryptographic Research (IACR) and organized in cooperation with State Key Laboratory of Information Security at the Institute of Information Engineering of the Chinese Academy of Sciences The general chair was Dongdai Lin, and the honorary chair was Andrew Chi-Chih Yao The conference received 113 submissions, of which the Program Committee (PC) selected 45 for presentation (with three pairs of papers sharing a single presentation slot per pair) Of these, there were four whose authors were all students at the time of submission The committee selected “Simulating Auxiliary Inputs, Revisited” by Maciej Skórski for the Best Student Paper award Each submission was reviewed by at least three PC members, often more The 25 PC members, all top researchers in our field, were helped by 154 external reviewers, who were consulted when appropriate These proceedings consist of the revised version of the 45 accepted papers The revisions were not reviewed, and the authors bear full responsibility for the content of their papers As in previous years, we used Shai Halevi’s excellent Web review software, and are extremely grateful to him for writing it and for providing fast and reliable technical support whenever we had any questions Based on the experience from the last two years, we used the interaction feature supported by the review software, where PC members may directly and anonymously interact with authors The feature allowed the PC to ask specific technical questions that arose during the review process, for example, about suspected bugs Authors were prompt and extremely helpful in their replies We hope that it will continue to be used in the future This was the third year where TCC presented the Test of Time Award to an outstanding paper that was published at TCC at least eight years ago, making a significant contribution to the theory of cryptography, preferably with influence also in other areas of cryptography, theory, and beyond The Test of Time Award Committee consisted of Tal Rabin (chair), Yuval Ishai, Daniele Micciancio, and Jesper Nielsen They selected “Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology” by Ueli Maurer, Renato Renner, and Clemens Holenstein— which appeared in TCC 2004, the first edition of the conference—for introducing indifferentiability, a security notion that had “significant impact on both the theory of cryptography and the design of practical cryptosystems.” Sadly, Clemens Holenstein passed away in 2012 He is survived by his wife and two sons Maurer and Renner accepted the award on his behalf The authors delivered a talk in a special session at TCC 2016-B An invited paper by them, which was not reviewed, is included in these proceedings The conference featured two other invited talks, by Allison Bishop and Srini Devadas In addition to regular papers and invited events, there was a rump session featuring short talks by attendees VI Preface We are greatly indebted to many people who were involved in making TCC 2016-B a success First of all, our sincere thanks to the most important contributors: all the authors who submitted papers to the conference There were many more good submissions than we had space to accept We would like to thank the PC members for their hard work, dedication, and diligence in reviewing the papers, verifying their correctness, and discussing their merits in depth We are also thankful to the external reviewers for their volunteered hard work in reviewing papers and providing valuable expert feedback in response to specific queries For running the conference itself, we are very grateful to Dongdai and the rest of the local Organizing Committee Finally, we are grateful to the TCC Steering Committee, and especially Shai Halevi, for guidance and advice, as well as to the entire thriving and vibrant theoretical cryptography community TCC exists for and because of that community, and we are proud to be a part of it November 2016 Martin Hirt Adam Smith TCC 2016-B Theory of Cryptography Conference Beijing, China October 31 – November 3, 2016 Sponsored by the International Association for Cryptologic Research and organized in cooperation with the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences General Chair Dongdai Lin Chinese Academy of Sciences, China Honorary Chair Andrew Chi-Chih Yao Tsinghua University, China Program Committee Masayuki Abe Divesh Aggarwal Andrej Bogdanov Elette Boyle Anne Broadbent Chris Brzuska David Cash Alessandro Chiesa Kai-Min Chung Nico Döttling Sergey Gorbunov Martin Hirt (Co-chair) Abhishek Jain Huijia Lin Hemanta K Maji Adam O’Neill Rafael Pass Krzysztof Pietrzak Manoj Prabhakaran Renato Renner Alon Rosen abhi shelat Adam Smith (Co-chair) NTT, Japan NUS, Singapore Chinese University of Hong Kong, Hong Kong IDC Herzliya, Israel University of Ottawa, Canada TU Hamburg, Germany Rutgers University, USA University of California, Berkeley, USA Academia Sinica, Taiwan University of California, Berkeley, USA University of Waterloo, Canada ETH Zurich, Switzerland Johns Hopkins University, USA University of California, Santa Barbara, USA Purdue University, USA Georgetown University, USA Cornell University, USA IST Austria, Austria IIT Bombay, India ETH Zurich, Switzerland IDC Herzliya, Israel Northeastern University, USA Pennsylvania State University, USA VIII TCC 2016-B John Steinberger Jonathan Ullman Vinod Vaikuntanathan Muthuramakrishnan Venkitasubramaniam Tsinghua University, China Northeastern University, USA MIT, USA University of Rochester, USA TCC Steering Committee Mihir Bellare Ivan Damgård Shafi Goldwasser Shai Halevi (Chair) Russell Impagliazzo Ueli Maurer Silvio Micali Moni Naor Tatsuaki Okamoto UCSD, USA Aarhus University, Denmark MIT, USA IBM Research, USA UCSD, USA ETH, Switzerland MIT, USA Weizmann Institute, Israel NTT, Japan External Reviewers Hamza Abusalah Shashank Agrawal Shweta Agrawal Joël Alwen Prabhanjan Ananth Saikrishna Badrinarayanan Marshall Ball Raef Bassily Carsten Baum Amos Beimel Fabrice Benhamouda Itay Berman Nir Bitansky Alexander R Block Tobias Boelter Zvika Brakerski Brandon Broadnax Ran Canetti Andrea Caranti Nishanth Chandran Yi-Hsiu Chen Yilei Chen Yu-Chi Chen Seung Geol Choi Michele Ciampi Aloni Cohen Ran Cohen Angelo Decaro Jean Paul Degabriele Akshay Degwekar Itai Dinur Léo Ducas Tuyet Duong Andreas Enge Antonio Faonio Oriol Farras Pooya Farshim Sebastian Faust Omar Fawzi Max Fillinger Nils Fleischhacker Eiichiro Fujisaki Peter Gaži Satrajit Ghosh Alexander Golovnev Siyao Guo Divya Gupta Venkatesan Guruswami Yongling Hao Carmit Hazay Brett Hemenway Felix Heuer Ryo Hiromasa Dennis Hofheinz Justin Holmgren Pavel Hubáček Tsung-Hsuan Hung Vincenzo Iovino Aayush Jain Chethan Kamath Tomasz Kazana Raza Ali Kazmi Carmen Kempka Florian Kerschbaum Dakshita Khurana Fuyuki Kitagawa Susumu Kiyoshima Saleet Klein Ilan Komargodski Venkata Koppula Stephan Krenn Mukul Ramesh Kulkarni Tancrède Lepoint Kevin Lewi TCC 2016-B Wei-Kai Lin Helger Lipmaa Feng-Hao Liu Vadim Lyubashevsky Mohammad Mahmoody Giulio Malavolta Alex J Malozemoff Daniel Masny Takahiro Matsuda Christian Matt Patrick McCorry Or Meir Peihan Miao Eric Miles Pratyush Mishra Ameer Mohammed Payman Mohassel Tal Moran Kirill Morozov Pratyay Mukherjee Hai H Nguyen Ryo Nishimaki Maciej Obremski Miyako Ohkubo Jiaxin Pan Omkant Pandey Omer Paneth Valerio Pastro Christopher Peikert Oxana Poburinnaya Bertram Poettering Antigoni Polychroniadou Christopher Portmann Srini Raghuraman Samuel Ranellucci Vanishree Rao Mariana Raykova Joseph Renes Leonid Reyzin Silas Richelson Mike Rosulek Guy Rothblum Ron Rothblum Sajin Sasy Alessandra Scafuro Dominique Schröder Karn Seth Vladimir Shpilrain Mark Simkin Nigel Smart Pratik Soni Bing Sun David Sutter Björn Tackmann Stefano Tessaro Justin Thaler Aishwarya Thiruvengadam Junnichi Tomida Rotem Tsabary Margarita Vald Prashant Vasudevan Daniele Venturi Damien Vergnaud Jorge L Villar Dhinakaran Vinayagamurthy Madars Virza Ivan Visconti Hoeteck Wee Eyal Widder David Wu Keita Xagawa Sophia Yakoubov Takashi Yamakawa Avishay Yanay Arkady Yerukhimovich Eylon Yogev Mohammad Zaheri Mark Zhandry Hong-Sheng Zhou Juba Ziani IX 564 4.2 I Damg˚ ard et al Sanitizable Functional Encryption Scheme – Construction We now present a construction of a sFE scheme based on iO The construction is based on the functional encryption construction by Garg et al [GGH+13] In their scheme a ciphertext contains two encryptions of the same message and a NIZK of this statement, thus an adversary can leak information via the randomness in the encryptions or the randomness in the NIZK In a nutshell we make their construct sanitizable by: Replacing the PKE scheme with a sanitizable PKE (as formalized in Definition 7) Letting the sanitizer drop the original NIZK, and append a proof of a proof instead (i.e., a proof that the sanitizer knows a proof that would make the original verifier accept) Thanks to the ZK property the new NIZK does not contain any information about the randomness used to generate the original NIZK Changing the decryption keys (obfuscated programs) to check the new proof instead Building Blocks We formalize here the definition of sanitization for a PKE scheme Any re-randomizable scheme (such as Paillier and ElGamal) satisfies perfect PKE sanitization, but it might be possible that more schemes fit the definition as well Definition (Perfect PKE Sanitization) Let M be the message space and R be the space from which the randomness for the encryption and sanitization is taken Then for every message m ∈ M and for all r, s, r ∈ R there exists s ∈ R such that San(pk, Enc(pk, m; r); s) = San(pk, Enc(pk, m; r ); s ) Our constructions also uses (by now standard) tools such as pseudo-random functions (PRF), indistinguishability obfuscation (iO) and statistical simulationsound non-interactive zero-knowledge (SSS-NIZK), which are defined for completeness in Appendix A Constructing sFE We are now ready to present our construction of sFE Construction Let sPKE = (Setup, Enc, San, Dec) be a perfect sanitizable public key encryption scheme Let NIZK = (Setup, Prove, Verify) be a statistical simulation-sound NIZK Let iO be an indistinguishability obfuscator We construct a sanitizable functional encryption scheme sFE = (Setup, Gen, Enc, San, Dec) as follows: Access Control Encryption: Enforcing Information Flow with Cryptography 565 Setup: On input the security parameter κ the setup algorithm compute the following (pk1 , sk1 ) ← sPKE.Setup(1κ ); (pk2 , sk2 ) ← sPKE.Setup(1κ ); crsE ← NIZK.Setup(1κ , RE ); crsS ← NIZK.Setup(1κ , RS ); Output pp = (crsE , crsS , pk1 , pk2 ) and msk = sk1 ; The relations RE and RS are defined as follows: Let xE = (c1 , c2 ) be a statement and wE = (m, r1 , r2 ) a witness, then RE is defined as RE = {(xE , wE ) | c1 = sPKE.Enc(pk1 , m; r1 ) ∧ c2 = sPKE.Enc(pk2 , m; r2 )} Let xS = (c1 , c2 ) be a statement and wS = (c1 , c2 , s1 , s2 , πE ) a witness, then RS is defined as RS = (xS , wS ) c1 = sPKE.San(pk1 , c1 ; s1 ) ∧ c2 = sPKE.Enc(pk2 , c2 ; s2 ) ∧NIZK.Verify(crsE , (c1 , c2 ), πE ) = Key Generation: On input the master secret key msk and a function f output the secret key SKf = iO(P ) as the obfuscation of the following program Program P Input: c1 , c2 , πS ; Const: crsS , f, sk1 ; If NIZK.Verify(crsS , (c1 , c2 ), πS ) = 1; output f (sPKE.Dec(sk1 , c1 )); else output fail; Encrypt: On input the public parameters pp and a message m compute two PKE encryptions of the message c1 ← sPKE.Enc(pk1 , m; r1 ) c2 ← sPKE.Enc(pk2 , m; r2 ) with randomness (r1 , r2 ) Then create a proof πE that (xE , wE ) ∈ RE with xE = (c1 , c2 ) and witness wE = (m, r1 , r2 ) πE ← NIZK.Prove(crsE , xE , wE ; tE ) using randomness tE Output the triple c = (c1 , c2 , πE ) as the ciphertext Sanitizer: On input the public parameter pp and a ciphertext c = (c1 , c2 , πE ) ∈ C compute the following If NIZK.Verify(crsE , xE , πE ) = then c1 ← sPKE.San(pk1 , c1 ; s1 ) c2 ← sPKE.San(pk2 , c2 ; s2 ) π2 ← NIZK.Prove(crsS , xS , wS ; tS ) Output c = (c1 , c2 , π2 ) 566 I Damg˚ ard et al Else Output c ← sFE.San(pp, sFE.Enc(pp, ⊥)) with randomness (s1 , s2 ) and tS in the PKE and NIZK respectively The generated NIZK is a proof that (xS , wS ) ∈ RS with xS = (c1 , c2 ) and wS = (c1 , c2 , s1 , s2 , πE ) Decryption: On input a secret key SKf and a ciphertext c = (c1 , c2 , πS ) ∈ C , run the obfuscated program SKf (c1 , c2 , πS ) and output the answer Lemma Construction is a correct functional encryption scheme Proof Correctness follows from the correctness of the iO, PKE, and SSS-NIZK schemes, and from inspection of the algorithms Lemma For any adversary A that breaks the IND-CPA security property of Construction 3, there exists an adversary B for the computational zeroknowledge property of the NIZK scheme, an adversary C for the IND-CPA security of the PKE scheme, and an adversary D for iO such that the advantage of adversary A is advsFE,A ≤ 4|M| advNIZK,B + advsPKE,C + q · adviO,C (1 − 2psss ) where q is the number of secret key queries adversary A makes during the game, and psss is the negligible soundness error of the SSS-NIZK scheme Proof This proof follows closely the selective IND-CPA security proof of the FE construction presented by Garg et al [GGH+13] See the full version [DHO16] for the complete proof Lemma For any adversary A that breaks the sanitizer property of Construction 3, there exists an adversary B for the computational zero-knowledge property of the NIZK scheme such that the advantage of adversary A is advsFE,A ≤ 2|M|advNIZK,B Proof This lemma is proven via a series of indistinguishable hybrid games between the challenger and the adversary For the proof to go through we notice that the challenger needs to simulate the NIZK proof At a first look it might seem that the reduction needs to guess the entire ciphertext before setting up the system parameter, but in fact we show that it is enough to guess the message beforehand! Thus, we can use a complexity leveraging technique to get the above advantage See the full version [DHO16] for the complete proof Access Control Encryption: Enforcing Information Flow with Cryptography 4.3 567 Polylog ACE Scheme In this section, we present a construction of an ACE scheme for multiple identities based on sanitizable functional encryption The idea of the construction is the following: an encryption of a message m is a sFE encryption of the message together with the senders identity i and a MAC of the message based on the identity Crucially, the encryption keys for all identities are generated in a pseudorandom way from a master key, thus it is possible to check MACs for all identities using a compact circuit The sanitizer key is a sFE secret key for a special function that checks that the MAC is correct for the claimed identity Then the sanitization consists of sanitizing the sFE ciphertext, and then using the sanitizer key to check the MAC The decryption key for identity j is a sFE secret key for a function that checks that identity i in the ciphertext and identity j are allowed to communicate (and ignores the MAC) The function then outputs the message iff the check goes through Construction Let sFE = (Setup, Gen, Enc, San, Dec) be a sanitizable functional encryption scheme Let F1 , F2 be pseudorandom functions Then we can construct an ACE scheme ACE = (Setup, Gen, Enc, San, Dec) defined by the following algorithms: Setup: Let K ← {0, 1}κ be a key for the pseudorandom function F1 Run (ppsFE , msk sFE ) ← sFE.Setup(1κ ) Output the public parameter pp = ppsFE and the master secret key msk = (msk sFE , K) Key Generation: Given the master secret key msk and an identity i, the encryption, decryption and sanitizer key are computed as follows: – eki ← F1 (K, i) – dki ← sFE.Gen(msk sFE , fi ) – rk ← sFE.Gen(msk sFE , frk ) where the functions fi and frk are defined as follows Decryption function fi (m, j, t): If P (j, i) = 1: output m; Else output ⊥; Sanitizer function frk (m, j, t): ekj = F1 (K, j); If t = F2 (ekj , m): output 1; Else output 0; Encryption: On input a message m and an encryption key eki , compute t = F2 (eki , m) and output c = sFE.Enc(ppsFE , (m, i, t)) Sanitizer: Given a ciphertext c and the sanitizer key rk = SKrk check the MAC and output a sanitized FE ciphertext c = sFE.San(ppsFE , c) If sFE.Dec(SKrk , c ) = 1: output c Else output San(rk, Enc(ek0 , ⊥)) 568 I Damg˚ ard et al Decryption: Given a ciphertext c and a decryption key dkj = SKj output m = sFE.Dec(SKj , c ) Lemma Construction is a correct ACE scheme Proof Let P (i, j) = for some i, j Let c be a honest sanitization of a honest generated encryption of message m under identity i: c = San(rk, Enc(eki , m)) = sFE.San(ppsFE , sFE.Enc(ppsFE , (m, i, F2 (eki , m)))) Given the decryption key dkj = SKj ← sFE.Gen(msk, fj ) Then the correctness property of the sFE scheme gives Pr [Dec(dkj , c ) = m] = Pr [sFE.Dec(SKj , c ) = m] ≤ negl(κ) Theorem For any adversary A that breaks the No-Read Rule of Construction 4, there exists an adversary B for the IND-CPA security of the sanitizable functional encryption scheme, such that the advantage of A is advACE,A ≤ advsFE,B Proof Assume that any adversary wins the IND-CPA security game of the sanitizable functional encryption (sFE) scheme with advantage at most Assume for contradiction that there is an adversary A that wins the ACE no-read game with advantage greater than , then we can construct an adversary B that wins the IND-CPA security game for the sFE scheme with advantage greater than B starts by generating K ← {0, 1}κ for some pseudorandom function F1 Then B receives ppsFE from the challenger and forwards it as the ACE public parameter to the adversary A Adversary A then performs some oracle queries to OG and OE to which B replies as follows: – B receives (j, sen), then he sends ekj ← F1 (K, j) to A – B receives (j, rec), then he makes an oracle query O(fj ) to the challenger and gets back SKj B sends dkj = SKj to A – B receives (j, san), then he makes an oracle query O(frk ) to the challenger and gets back SKrk B sends rk = SKrk to A – B receives (i, m), then he computes eki ← F1 (K, i) and sends to A c ← sFE.Enc(ppsFE , (m, i, F2 (eki , m))) Access Control Encryption: Enforcing Information Flow with Cryptography 569 After the oracle queries B receives messages m0 , m1 and identities i0 , i1 from adversary A Then B computes ekil ← F1 (K, il ) for l ∈ {0, 1} and sends msFE and msFE to the challenger, where msFE = (ml , il , F2 (ekil , ml )) for l ∈ {0, 1} l Then the sFE challenger sends a ciphertext c , which B forwards to A as the ACE ciphertext This is followed by a new round of oracle queries If the sFE challenger is in case b = 0, then c is generated as an sFE encryption of message msFE , and we are in the case b = in the no-read game Similar, if the sFE challenger is in case b = 1, then we are in the case b = in the no-read game Note that our adversary respects the rules of the IND-CPA game, since sFE sFE sFE frk (msFE ) = frk (m1 ) = and fj (m0 ) = fj (m1 ) for all j such that SKj was queried This follows directly from the payload privacy (the function outputs ⊥) = msFE and sender anonymity (msFE ) properties of the no-read rule Thus, we can conclude that if A wins the no-read game with non-negligible probability, then B wins the IND-CPA security game for the sFE scheme Theorem For any adversary A that breaks the No-Write Rule of Construction 4, there exists an adversary B for the PRF security, an adversary C for the sanitizer property of the sFE scheme, and an adversary D for the IND-CPA security of the sFE scheme, such that the advantage of A is advACE,A ≤ · advPRF,B + advsFE,C + advsFE,D + 2−κ Proof This theorem is proven by presenting a series of hybrid games Hybrid The no-write game for b = Hybrid As Hybrid 0, except that when the challenger receives a oracle request (i, sen) he saves the identity: IS = IS ∪ i, and the encryption key eki ← F1 (K, i) When the challenger receives the challenge (c, i ) he uses the sFE master decryption to get (m∗ , i∗ , t∗ ) ← sFE.MDec(msk sFE , c) If i∗ ∈ / IS , then the challenger generates eki∗ honestly Next, he checks that t∗ = F2 (eki∗ , m∗ ) If the check goes through he computes the challenge response as c∗ ← sFE.San(ppsFE , c), otherwise c∗ ← San(rk, Enc(ek0 , ⊥)) Hybrid As Hybrid 1, except that the encryption keys are chosen uniformly at random: eki ←$ {0, 1}κ for all i, (note that eki∗ is also chosen at random) Hybrid As Hybrid 2, except that after receiving and master decrypting the challenge, the challenger check whether i∗ ∈ IS If this is the case the challenger checks the MAC t∗ as above, otherwise he compute the response as c∗ ← San(rk, Enc(ek0 , ⊥)) 570 I Damg˚ ard et al Hybrid As Hybrid 3, except that if the checks i∗ ∈ IS and t∗ = F2 (eki∗ , m∗ ) go through, then the challenger computes the response as c∗ ← sFE.San(ppsFE , sFE.Enc(ppsFE , (m∗ , i∗ , t∗ ))) Hybrid As Hybrid 4, except that the challenge response is computed as c∗ = San(rk, Enc(eki , r)) where r ←$ M and rk ← Gen(msk, n + 1, san) Hybrid As Hybrid 5, except that the encryption keys are generated honestly: eki ← F1 (K, i) for all i Observe, this is the no-write game for b = Now we show that each sequential pair of the hybrids are indistinguishable Claim Hybrids and are identical Proof This follows directly from the definition of the sanitization and sanitizer key rk Claim For any adversary A that can distinguish Hybrid and Hybrid 2, there exists an adversary B for the security of PRF F1 such that the advantage of A is advA ≤ advPRF,B Proof Assume that any adversary can break the PRF security with advantage , and assume for contradiction that we can distinguish the hybrids with advantage greater than Then we can construct an adversary B that breaks the PRF security with advantage greater than B starts by creating the public parameters honestly and sends it to the adversary All the adversary oracle queries are answered as follows: whenever B receives (i, sen) from the adversary, he sends i to the PRF challenger, receives back yi , set eki := yi , and sends eki to the adversary When B receives the challenge (i, m) he ask the challenger for the encryption key (as before), and encrypts m The rest of adversary’s queries are answered honestly by using the algorithms of the construction When B receives (c, i ) from the adversary, he / IS , then B creates master decrypts the ciphertext to get (m∗ , i∗ , t∗ ) If i∗ ∈ eki∗ by sending i∗ to the challenger B concludes the game by forwarding the adversary’s guess b to the challenger Observe that the if yi ← F1 (K, i) then we are in Hybrid 1, and if yi is uniform random, then we are in Hybrid Thus, if adversary A can distinguish between the hybrids, then B can break the constraint PRF property Claim For any adversary A that can distinguish Hybrid and Hybrid 3, there exists an adversary B for the security of PRF F2 such that the advantage of A is advA ≤ advPRF,B + 2−κ Access Control Encryption: Enforcing Information Flow with Cryptography 571 Proof Assume that any adversary can break the PRF security with advantage − 2−κ , and assume for contradiction that we can distinguish the hybrids with advantage greater than Then we can construct an adversary B that breaks the PRF security with advantage greater than − 2−κ B starts by creating the public parameters and sending them to the adversary The adversary’s oracle queries are answered honestly by using the algorithms of the construction When C receives the challenge (c, i ) he master decrypts the ciphertext to get (m∗ , i∗ , t∗ ) Then he sends m∗ to the challenger and receives back t If t = t∗ then B guess that the challenger is using the pseudorandom function F2 , otherwise B guess that the challenger is using a random function We evaluate now the advantage of B in the PRF game: Observe, if t is generated using F2 , then B outputs “PRF” with probability exactly In the case when t is generated using a random function, then it does not matter how t∗ was created, and the probability that t = t∗ is 2−κ Thus, the advantage of adversary B is greater than − 2κ Claim For any adversary A that can distinguish Hybrid and Hybrid 4, there exists an adversary C for the sanitizer property of the sFE scheme such that the advantage of A is advA ≤ advsFE,C Proof Assume that any adversary wins the sanitizer game for the sFE scheme with advantage , and assume for contradiction that we can distinguish the hybrids with advantage greater than Then we can construct an adversary C that wins the sanitizer game with advantage greater than C starts by receiving the sFE system parameters from the challenger, and he forwards the public parameters as the ACE public parameters to the adversary The adversary’s oracle queries are answered honestly by using the algorithms of the construction, since C receives the sFE master secret key from the challenger When C receives the challenge (c, i ) he master decrypts the ciphertext to get (m∗ , i∗ , t∗ ) Then he checks that i∗ ∈ IS and t∗ = F2 (eki∗ , m∗ ) If the check goes through he sends c to the challenger and receives back a sFE sanitized ciphertext c Thus, the challenge response is c∗ = c C concludes the game by forwarding the adversary’s guess b to the challenger Observe, if c = sFE.San(ppsFE , c), then we are in Hybrid On the other hand, we are in Hybrid if c = sFE.San(ppsFE , sFE.Enc(ppsFE , sFE.MDec(msk sFE , c))) Thus, if adversary A can distinguish between the hybrids, then C can break the sFE sanitizer property Claim For any adversary A that can distinguish Hybrid and Hybrid 5, there exists an adversary D for the IND-CPA security of the sFE scheme such that the advantage of A is advA ≤ advsFE,D Proof Assume that any adversary wins the IND-CPA game for the sFE scheme with advantage , and assume for contradiction that we can distinguish the 572 I Damg˚ ard et al hybrids with advantage greater than Then we can construct an adversary D that wins the IND-CPA game with advantage greater than D start by receiving the sFE public parameters from the challenger and forwards it to the challenger The adversary’s oracle queries are answered by sending secret key queries to the challenger, and otherwise using the algorithms of the construction (see the proof of Theorem for more details) When D receives the challenge (c, i ) he master decrypts the ciphertext to get (m∗ , i∗ , t∗ ) Then he checks that i∗ ∈ IS and t∗ = F2 (eki∗ , m∗ ) If the check goes through he set m0 = (m∗ , i∗ , t∗ ), otherwise he sets m0 = (⊥, 0, ⊥) Then he creates m1 = (r, i , F2 (eki , r)), sends m0 and m1 to the challenger, and receives back an sFE encryption c Next, D creates the response c∗ = sFE.San(ppsFE , c ) D concludes the game by forwarding the adversary’s guess b to the challenger If c is an encryption of the message m0 , then we are in Hybrid 4, and if it is an encryption of m1 , then we are in Hybrid Thus, if adversary A can distinguish between the hybrids, then D can break the sFE IND-CPA security Claim For any adversary A that can distinguish Hybrid and Hybrid 6, there exists an adversary B for the security of PRF F1 such that the advantage of A is advA ≤ advPRF,B The proof follow the same structure as the proof for Claim From these claims we can conclude that for any adversary A that can distinguish Hybrid and Hybrid 6, there exists an adversary B for the PRF security, an adversary C for the sanitizer property of the sFE scheme, and an adversary D for the IND-CPA security of the sFE scheme, such that the advantage of A is advACE,A ≤ · advPRF,B + advsFE,C + advsFE,D + 2−κ A A.1 Standard Building Blocks Pseudorandom Function Definition (PRF) We say F : {0, 1}κ ×{0, 1}∗ → {0, 1}κ is a pseudorandom function if for all PPT A advA = · | Pr[AOb (·) (1κ ) = b] − 1/2| < negl(κ) with O0 a uniform random function and O1 = FK Access Control Encryption: Enforcing Information Flow with Cryptography A.2 573 Statistical Simulation-Sound Non-Interactive Zero-Knowledge Proofs The content of this subsection is taken almost verbatim from [GGH+13] Let L be a language and R a relation such that x ∈ L if and only if there exists a witness w such that (x, w) ∈ R A non-interactive proof system [BFM88] for a relation R is defined by the following PPT algorithms Setup: The Setup algorithm takes as input the security parameter κ and outputs common reference string crs Prove: The Prove algorithm takes as input the common reference string crs, a statement x, and a witness w, and outputs a proof π Verify: The Verify algorithm takes as input the common reference string crs, a statement x, and a proof π It outputs if it accepts the proof, and otherwise The non-interactive proof system must be complete, meaning that if R(x, w) = and crs ← Setup(1κ ) then Verify(crs, x, Prove(crs, x, w)) = Furthermore, the proof system must be statistical sound, meaning that no (unbounded) adversary can convince a honest verifier of a false statement Moreover, we define the following additional properties of a non-interactive proof system Definition (Computational Zero-Knowledge) A non-interactive proof NIZK = (Setup, Prove, Verify) is computational zero-knowledge if there exists a polynomial time simulator Sim = (Sim1 , Sim2 ) such that for all non-uniform polynomial time adversaries A we have for all x ∈ L that Pr [crs ← Setup(1κ ); π ← Prove(crs, x, w) : A(crs, x, π) = 1] ≈ Pr [(crs, τ ) ← Sim1 (1κ , x); π ← Sim2 (crs, τ, x) : A(crs, x, π) = 1] where crs is the common reference string, x is the statement, w is the witness, π is the proof, and τ is the trapdoor Thus, the definition states that the proof not reveal any information about the witness to any bounded adversary In the definition this is formalized by the existence of two simulators, where Sim1 returns a simulated common reference string together with a trapdoor that enables Sim2 to simulate proofs without access to the witness 574 I Damg˚ ard et al Definition 10 (Statistical Simulation-Soundness) A non-interactive proof NIZK = (Setup, Prove, Verify) is statistical simulation-sound (SSS) if for all statements x and all (unbounded) adversaries A we have that Pr (crs, τ ) ← Sim1 (1κ , x); π ← Sim2 (crs, τ, x) : ≤ psss /L ∃(x , π ) : x = x : Verify(crs, x , π ) = : x ∈ where psss = negl(κ) is negligible in the security parameter Thus, the definition states that it is not possible to convince a honest verifier of a false statement even if the adversary is given a simulated proof Remark If a proof system is statistical simulation-sound then it is also statistical sound Thus, we can upper bound the negligible probability of statistical soundness by the negligible probability of the statistical simulation-soundness A.3 Indistinguishability Obfuscation We use an indistinguishability obfuscator like the one proposed in [GGH+13] such that C¯ ← iO(C) which takes any polynomial size circuit C and outputs an obfuscated version C¯ that satisfies the following property Definition 11 (Indistinguishability Obfuscation) We say iO is an indistinguishability obfuscator for a circuit class C if for all C0 , C1 ∈ C such that ∀x : C0 (x) = C1 (x) and |C0 | = |C1 | it holds that: ∀C ∈ C, ∀x ∈ {0, 1}n , iO(C)(x) = C(x); |iO(C)| = poly(λ|C|) for all PPT A: advA = · |Pr[A(iO(C0 )) = 1] − Pr[A(iO(C1 )) = 1]| < negl(λ) References [BFM88] Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract) In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2–4, 1988, Chicago, Illinois, USA, pp 103–112 (1988) [Bib75] Biba, K.J.: Integrity considerations for secure computer systems No MTR3153-REV-1 MITRE Corp., Bedford, MA (1975) [BL73] Bell, D.E., LaPadula, L.J.: Secure computer systems: Mathematical foundations Draft MTR, The MITRE Corporation, (1973) Access Control Encryption: Enforcing Information Flow with Cryptography 575 [BP03] Backes, M., Pfitzmann, B.: Intransitive non-interference for cryptographic purpose In: 2003 IEEE Symposium on Security and Privacy (S&P 2003), 11–14 May 2003, Berkeley, CA, USA, p 140 (2003) [BP04] Backes, M., Pfitzmann, B.: Computational probabilistic noninterference Int J Inf Sec 3(1), 42–60 (2004) [BSW11] Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges In: Ishai, Y (ed.) TCC 2011 LNCS, vol 6597, pp 253–273 Springer, Heidelberg (2011) [DHO16] Damg˚ ard, I., Haagh, H., Orlandi, C.: Access control encryption: enforcing information flow with cryptography Cryptology ePrint Archive, Report 2016/106 (2016) http://eprint.iacr.org/2016/106 [DMS15] Dodis, Y., Mironov, I., Stephens-Davidowitz, N.: Message transmission with reverse firewalls—secure communication on corrupted machines In: Robshaw, M., Katz, J (eds.) CRYPTO 2016 LNCS, vol 9814, pp 341– 372 Springer, Heidelberg (2016) doi:10.1007/978-3-662-53018-4 13 [FAL06] Frikken, K., Atallah, M., Li, J.: Attribute-based access control with hidden policies and hidden credentials IEEE Trans Comput 55(10), 1259–1270 (2006) [FF15] Fehr, V., Fischlin, M.: Sanitizable signcryption: Sanitization over encrypted data (full version) IACR Cryptology ePrint Archive, 2015:765 (2015) [FFLW15] Ferrara, A.L., Fuchsbauer, G., Liu, B., Warinschi, B.: Policy privacy in cryptographic access control In: IEEE 28th Computer Security Foundations Symposium, CSF 2015, Verona, Italy, 13–17 July, 2015, pp 46–60 (2015) [Gam85] El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms IEEE Trans Inform Theory 31(4), 469–472 (1985) [GGH+13] Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October 2013, Berkeley, CA, USA, pp 40–49 (2013) [GJJS04] Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets In: Okamoto, T (ed.) CT-RSA 2004 LNCS, vol 2964, pp 163–178 Springer, Heidelberg (2004) doi:10.1007/978-3-540-24660-2 14 [GPSW06] Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, October 30 - November 3, 2006, pp 89–98 (2006) [HKN05] Halevi, S., Karger, P.A., Naor, D.: Enforcing confinement in distributed storage and a cryptographic model for access control IACR Cryptology ePrint Archive 2005:169 (2005) [HLA02] Hopper, N.J., Langford, J., Ahn, L.: Provably secure steganography In: Yung, M (ed.) CRYPTO 2002 LNCS, vol 2442, pp 77–92 Springer, Heidelberg (2002) doi:10.1007/3-540-45708-9 [KSW13] Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products J Cryptology 26(2), 191– 224 (2013) 576 I Damg˚ ard et al [KTS07] Kapadia, A., Tsang, P.P., Smith, S.W.: Attribute-based publishing with hidden credentials and hidden policies In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2007, San Diego, California, USA, 28th February - 2nd March 2007 (2007) [MK11] Mă uller, S., Katzenbeisser, S.: Hiding the policy in cryptographic access control In: Meadows, C., Fernandez-Gago, C (eds.) STM 2011 LNCS, vol 7170, pp 90–105 Springer, Heidelberg (2012) doi:10.1007/ 978-3-642-29963-6 [MS15] Mironov, I., Stephens-Davidowitz, N.: Cryptographic reverse firewalls In: Oswald, E., Fischlin, M (eds.) EUROCRYPT 2015 LNCS, vol 9057, pp 657–686 Springer, Heidelberg (2015) doi:10.1007/978-3-662-46803-6 22 [PR07] Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption In: Menezes, A (ed.) CRYPTO 2007 LNCS, vol 4622, pp 517–534 Springer, Heidelberg (2007) doi:10.1007/978-3-540-74143-5 29 [RZB12] Raykova, M., Zhao, H., Bellovin, S.M.: Privacy enhanced access control for outsourced data sharing In: Keromytis, A.D (ed.) FC 2012 LNCS, vol 7397, pp 223–238 Springer, Heidelberg (2012) doi:10.1007/ 978-3-642-32946-3 17 Author Index Alon, Bar I-307 Agrawal, Shashank II-269 Ananth, Prabhanjan II-3 Apon, Daniel II-299 Applebaum, Benny I-27 Baum, Carsten I-461 Ben-Sasson, Eli II-31 Bitansky, Nir I-57, II-391 Blocki, Jeremiah II-517 Bogdanov, Andrej II-471 Brakerski, Zvika I-57, II-330 Bun, Mark I-607, I-635 Canetti, Ran II-61 Cascudo, Ignacio I-204 Cash, David II-330 Chen, Yi-Hsiu I-607 Chen, Yilei II-61 Chen, Yu-Chi II-3 Chiesa, Alessandro II-31 Chung, Kai-Min II-3 Cohen, Aloni I-84 Dachman-Soled, Dana II-169 Damgård, Ivan I-204, II-547 Devadas, Srinivas I-262 Fan, Xiong II-299 Fiore, Dario I-108 Garg, Sanjam I-491, II-241, II-419 Genkin, Daniel I-336 Goyal, Rishab II-361 Guo, Siyao II-471 Gupta, Divya I-491 Haagh, Helene II-547 Hazay, Carmit I-367, I-400, I-521 Hofheinz, Dennis II-121, II-146 Holmgren, Justin II-61 Impagliazzo, Russell Ishai, Yuval I-336 I-235 Jafargholi, Zahra I-433 Jager, Tibor II-146 Jaiswal, Ragesh I-235 Kabanets, Valentine I-235 Kalai, Yael I-57, II-91 Kapron, Bruce M I-235 King, Valerie I-235 Klein, Saleet I-84 Komargodski, Ilan I-139, II-471, II-485 Koppula, Venkata II-361 Kowalczyk, Lucas I-659 Lacerda, Felipe I-204 Li, Baiyu II-443 Lin, Huijia II-3 Lin, Wei-Kai II-3 Lindell, Yehuda I-554 Liu, Feng-Hao II-299 Malkin, Tal I-659 Maurer, Ueli I-3 Miao, Peihan I-491 Micciancio, Daniele II-443 Miles, Eric II-241 Mukherjee, Pratyay II-241 Naor, Moni II-485 Nielsen, Jesper Buus I-582 Nishimaki, Ryo II-391 Nitulescu, Anca I-108 Omri, Eran I-307 Orlandi, Claudio I-582, II-547 Orsini, Emmanuela I-461 Pandey, Omkant I-491 Paneth, Omer I-57, II-91 Passelègue, Alain II-391 578 Author Index Peikert, Chris II-217 Pietrzak, Krzysztof I-183 Polychroniadou, Antigoni I-367 Prabhakaran, Manoj II-269 Ranellucci, Samuel I-204 Rao, Vanishree II-121 Raykov, Pavel I-27 Raykova, Mariana II-61 Ren, Ling I-262 Renner, Renato I-3 Rupp, Andy II-146 Sahai, Amit II-241 Scholl, Peter I-461 Shiehian, Sina II-217 Skórski, Maciej I-159, I-183 Smart, Nigel P I-554 Soria-Vazquez, Eduardo I-554 Spini, Gabriele I-286 Spooner, Nicholas II-31 Srinivasan, Akshayaram II-241, II-419 Steinke, Thomas I-635 Targhi, Ehsan Ebrahimi II-192 Tessaro, Stefano I-235 Tsabary, Rotem II-330 Ullman, Jonathan I-659 Unruh, Dominique II-192 Vadhan, Salil I-607 Vaikuntanathan, Vinod I-57 Venkitasubramaniam, Muthuramakrishnan I-367, I-400 Waters, Brent II-361 Wee, Hoeteck II-330 Weiss, Mor I-336 Wichs, Daniel I-433, II-121, II-391 Yanai, Avishay I-521 Yogev, Eylon II-485 Yu, Ching-Hua II-269 Zémor, Gilles I-286 Zhandry, Mark I-659, II-241 Zhou, Hong-Sheng II-517 ... Smith (Eds.) • Theory of Cryptography 14th International Conference, TCC 2016- B Beijing, China, October 31 – November 3, 2016 Proceedings, Part II 123 Editors Martin Hirt Department of Computer... we are proud to be a part of it November 2016 Martin Hirt Adam Smith TCC 2016- B Theory of Cryptography Conference Beijing, China October 31 – November 3, 2016 Sponsored by the International Association... 1] = NEXP Probabilistically Checkable Proofs (PCPs) Probabilistically checkable proofs were introduced by [FRS88,BFLS91,AS98,ALM+98]: in a probabilistically-checkable proof, a probabilistic polynomial-time