*19:17* [Pub][ePrint]
Aggregatable Pseudorandom Functions and Connections to Learning, by Aloni Cohen and Shafi Goldwasser and Vinod Vaikuntanathan
In the first part of this work, we introduce a new type of pseudo-random function for which ``aggregate queries\'\' over exponential-sized sets can be efficiently answered. An example of an aggregate query may be the product of all function values belonging to an exponential-sized interval, or the sum of all function values on points for which a polynomial time predicate holds. We show how to use algebraic properties of underlying

classical pseudo random functions, to construct aggregatable pseudo random functions for a number of classes of aggregation queries under cryptographic hardness assumptions. On the flip side, we show that certain aggregate queries are impossible to support.

In the second part of this work, we show how various extensions of pseudo-random functions considered recently in the cryptographic literature, yield impossibility results for various extensions of machine learning models, continuing a line of investigation originated by Valiant and Kearns in the 1980s and 1990s. The extended pseudo-random functions we address include constrained pseudo random functions, aggregatable pseudo random functions, and pseudo random functions secure under related-key attacks.

*22:17* [Pub][ePrint]
Constrained Key-Homomorphic PRFs from Standard Lattice Assumptions Or: How to Secretly Embed a Circuit in Your PRF, by Zvika Brakerski and Vinod Vaikuntanathan
Boneh et al. (Crypto 13) and Banerjee and Peikert (Crypto 14) constructed pseudorandom functions (PRFs) from the Learning with Errors (LWE) assumption by embedding combinatorial objects, a path and a tree respectively, in instances of the LWE problem. In this work, we show how to generalize this approach to embed circuits, inspired by recent progress in the study of Attribute Based Encryption.Embedding a universal circuit for some class of functions allows us to produce constrained keys for functions in this class, which gives us the first standard-lattice-assumption-based constrained PRF (CPRF) for general bounded-description bounded-depth functions, for arbitrary polynomial bounds on the description size and the depth. (A constrained key w.r.t a circuit $C$ enables one to evaluate the PRF on all $x$ for which $C(x)=1$, but reveals nothing on the PRF values at other points.) We rely on the LWE assumption and on the one-dimensional SIS (Short Integer Solution) assumption, which are both related to the worst case hardness of general lattice problems. Previous constructions for similar function classes relied on such exotic assumptions as the existence of multilinear maps or secure program obfuscation. The main drawback of our construction is that it does not allow collusion (i.e. to provide more than a single constrained key to an adversary).

Similarly to the aforementioned previous works, our PRF family is also key homomorphic.

Interestingly, our constrained keys are very short. Their length does not depend directly either on the size of the constraint circuit or on the input length.

We are not aware of any prior construction achieving this property, even relying on strong assumptions such as indistinguishability obfuscation.

*19:17* [Pub][ePrint]
Obfuscating Circuits via Composite-Order Graded Encoding, by Benny Applebaum and Zvika Brakerski
We present a candidate obfuscator based on composite-order Graded Encoding Schemes (GES), which are a generalization of multilinear maps. Our obfuscator operates on circuits directly without converting them into formulas or branching programs as was done in previous solutions. As a result, the time and size complexity of the obfuscated program, measured by the number of GES elements, is directly proportional to the circuit complexity of the program being obfuscated. This improves upon previous constructions whose complexity was related to the formula or branching program size. Known instantiations of Graded Encoding Schemes allow us to obfuscate circuit classes of polynomial degree, which include for example families of circuits of logarithmic depth.We prove that our obfuscator is secure against a class of generic algebraic attacks, formulated by a generic graded encoding model. We further consider a more robust model which provides more power to the adversary and extend our results to this setting as well.

As a secondary contribution, we define a new simple notion of \\emph{algebraic security} (which was implicit in previous works) and show that it captures standard security relative to an ideal GES oracle.

*19:17* [Pub][ePrint]
On the Regularity of Lossy RSA: Improved Bounds and Applications to Padding-Based Encryption, by Adam Smith and Ye Zhang
We provide new bounds on how close to regular the map x |--> x^e is on arithmetic progressions in Z_N, assuming e | Phi(N) and N is composite. We use these bounds to analyze the security of natural cryptographic problems related to RSA, based on the well-studied Phi-Hiding assumption. For example, under this assumption, we show that RSA PKCS #1 v1.5 is secure against chosen-plaintext attacks for messages of length roughly (log N)/4 bits, whereas the previous analysis, due to Lewko et al (2013), applies only to messages of length less than (log N)/32.In addition to providing new bounds, we also show that a key lemma of Lewko et al. is incorrect. We prove a weaker version of the claim which is nonetheless sufficient for most, though not all, of their applications.

Our technical results can be viewed as showing that exponentiation in Z_N is a deterministic extractor for every source that is uniform on an arithmetic progression. Previous work showed this type of statement only on average over a large class of sources, or for much longer progressions (that is, sources with much more entropy).

*19:17* [Pub][ePrint]
Predicate Encryption for Circuits from LWE, by Sergey Gorbunov and Vinod Vaikuntanathan and Hoeteck Wee
In predicate encryption, a ciphertext is associated with descriptiveattribute values $x$ in addition to a plaintext $\\mu$, and a secret key is associated with a predicate $f$. Decryption returns plaintext

$\\mu$ if and only if $f(x) = 1$. Moreover, security of predicate

encryption guarantees that an adversary learns nothing about the attribute $x$ or the plaintext $\\mu$ from a ciphertext, given arbitrary many secret keys that are not authorized to decrypt the ciphertext individually.

We construct a leveled predicate encryption scheme for all circuits, assuming the hardness of the subexponential learning with errors (LWE) problem. That is, for any polynomial function $d = d(\\secp)$,

we construct a predicate encryption scheme for the class of all circuits with depth bounded by $d(\\secp)$, where $\\secp$ is the security parameter.