Abstract
Laconic function evaluation (LFE) is a “flipped” version of fully homomorphic encryption, where the server performing the computation gets the output. The server commits itself to a function f by outputting a small digest. Clients can later efficiently encrypt inputs x with respect to the digest in much less time than computing f, and ensure that the server only decrypts f(x), but does not learn anything else about x. Prior works constructed LFE for circuits under LWE, and for Turing Machines (TMs) from indistinguishability obfuscation (iO). In this work we introduce LFE for Random-Access Machines (RAM-LFE). The server commits itself to a potentially huge database y via a short digest. Clients can later efficiently encrypt inputs x with respect to the digest and the server decrypts f(x, y) for some specified RAM program f (e.g., a universal RAM), without learning anything else about x. The main advantage of RAM-LFE is that the server’s decryption run-time only scales with the RAM run-time T of the computation f(x, y), which can be sublinear in both |x| and |y|. We consider a weakly efficient variant, where the client’s run-time is also allowed to scale linearly with T, but not |y|, and a fully efficient variant, where the client’s run-time must be sublinear in both T and |y|. We construct the former from doubly efficient private information retrieval (DEPIR) and laconic OT (LOT), both of which are known from RingLWE, and the latter from an additional use of iO. We then show how to leverage fully efficient RAM-LFE to also get (many-key) functional encryption for RAMs (RAM-FE) where secret keys are associate with big databases y and the decryption time is sublinear in |y|, as well as iO for RAMs where the obfuscated program contains a big database y and the evaluation time is sublinear in |y|.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is known that LFE schemes require a common reference/random string (CRS); for simplicity we largely omit it from the discussion in the introduction. Also, by default we require that the digest is derived deterministically given f, which is a crucial feature for some applications. In this case, the digest cannot fully hide f, and we do not require any “function hiding” security. However, [QWW18] showed a generic transformation to achieve function hiding at the cost of having a randomized procedure to generate the digest. The security guarantee implicitly assumes a semi-honest server that computes \(\textsf{dig}_f\) correctly. If the function f is public, anyone can audit the digest by re-computing it to check that it is correct, or the server can provide a SNARG (for P) that it was computed correctly. If f is secret, the server can still provide a SNARK (for NP) that f belongs to some restricted class of functions deemed safe.
- 2.
Throughout the introduction we omit fixed polynomial factors in the security parameter or polyogarithmic terms. We also restrict to boolean functions with 1-bit output.
- 3.
We rely on the above formulation for simplicity in the intro, but it is equivalent to formulations where the client or the server chooses the program f since we can always embed the code of the actual program to be executed inside either x or y. Our technical definition allows the client to choose the program, but this is just for notational convenience. We also require the procedure that maps y to \((\textsf{dig}_y,\widetilde{y})\) to be deterministic and do not require \(\textsf{dig}_y\) to fully hide y. However, we can generically apply the transformation of [QWW18] to fully hide y at the cost of having a randomized procedure.
- 4.
In particular, consider the RAM program f(x, y) that interprets \(x = (i,b)\) as an index i and a bit b and outputs \(y[i] \oplus b\) denoting the i’th location of y one-time padded with b. This program runs in time \(T=O(1)\). Using a RAM-LFE for f we can construct a 3-round DEPIR as follows. The server preprocesses y to derive \(\textsf{dig}_y, \widetilde{y}\). To privately retrieve y[i], the server/client run the following 3 round protocol: In the first round, the server sends \(\textsf{dig}_y\) to the client, in the second round the client encrypts \(x = (i,b)\) with \(b \leftarrow \{0,1\}\) chosen uniformly at random under the LFE and sends the ciphertext, and in the third round the server decrypts the ciphertext and sends \(y[i] \oplus b\) to the client who removes the pad to recover y[i]. LFE security ensures that the servers view can be simulated given \(y[i] \oplus b\), which is uniformly random and therefore reveals no information about the client’s index i.
- 5.
Garbled RAM has weaker functionality in that the database y must be preprocessed by the client, but then provides stronger security by ensuring that y is hidden from the server. However, it is easy to also use RAM-LFE to achieve the stronger security guarantee by having the client encrypt the database y via one-time pad derived from a PRF, and then include the PRF key as part of the encrypted input x and have the program execution use the PRF to decrypt each bit it reads from the database.
- 6.
We can simply think of f as just being a universal RAM and all the actual code as being contained in y.
- 7.
Note that we cannot achieve sublinear run-time in |x| since it is not preprocessed in this setting. Hence if evaluation reads only a subset of the positions of x that would reveal additional information about the computation.
- 8.
As in Sect. 5.1, we assume without loss of generality that the value \(\eta \) is the same for both the ORAM and DEPIR schemes, potentially padding the one that needs fewer accesses with arbitrary dummy accesses.
References
Ananth, P., Chung, K.-M., Fan, X., Qian, L.: Collusion-resistant functional encryption for RAMs. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part I. LNCS, vol. 13791, pp. 160–194. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22963-3_6
Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28
Ananth, P., Lombardi, A.: Succinct garbling schemes from functional encryption through a local simulation paradigm. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 455–472. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_17
Bitansky, N., et al.: Indistinguishability obfuscation for ram programs and succinct randomized encodings. SIAM J. Comput. 47(3), 1123–1210 (2018)
Cho, C., Döttling, N., Garg, S., Gupta, D., Miao, P., Polychroniadou, A.: Laconic oblivious transfer and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 33–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_2
Canetti, R., Holmgren, J.: Fully succinct garbled RAM. In: Sudan, M. (ed.) ITCS 2016: 7th Conference on Innovations in Theoretical Computer Science, pp. 169–178. Association for Computing Machinery, January 2016
Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Succinct garbling and indistinguishability obfuscation for RAM programs. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th Annual ACM Symposium on Theory of Computing, pp. 429–437. ACM Press, June 2015
Döttling, N., Gajland, P., Malavolta, G.: Laconic function evaluation for turing machines. In: Boldyreva, A., Kolesnikov, V. (eds.) PKC 2023, Part II. LNCS, vol. 13941, pp. 606–634. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-31371-4_21
Dong, F., Hao, Z., Mook, E., Wichs, D.: Laconic function evaluation, functional encryption and obfuscation for rams with sublinear computation. Cryptology ePrint Archive, Paper 2024/068 (2024). https://eprint.iacr.org/2024/068
Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_23
Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: 55th Annual Symposium on Foundations of Computer Science, pp. 404–413. IEEE Computer Society Press, October 2014
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 555–564. ACM Press, June 2013
Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)
Garg, S., Ostrovsky, R., Srinivasan, A.: Adaptive garbled RAM from laconic oblivious transfer. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 515–544. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_18
Grauman, K.: Efficiently searching for similar images. Commun. ACM 53(6), 84–94 (2010)
Garg, S., Srinivasan, A.: Adaptively secure garbling with near optimal online complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 535–565. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_18
Garg, S., Srinivasan, A.: A simple construction of iO for turing machines. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 425–454. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_16
Hamlin, A., Holmgren, J., Weiss, M., Wichs, D.: On the plausibility of fully homomorphic encryption for RAMs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 589–619. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_21
Jain, A., Lin, H., Luo, J.: On the optimal succinctness and efficiency of functional encryption and attribute-based encryption. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part III. LNCS, vol. 14006, pp. 479–510. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30620-4_16
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) 53rd Annual ACM Symposium on Theory of Computing, pp. 60–73. ACM Press, June 2021
Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from LPN over \(\mathbb{F} _{p}\), DLIN, and PRGs in \({NC}^0\). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 670–699. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-06944-4_23
Lin, W.-K., Mook, E., Wichs, D.: Doubly efficient private information retrieval and fully homomorphic ram computation from ring LWE. Cryptology ePrint Archive, Paper 2022/1703 (2022). https://eprint.iacr.org/2022/1703
Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_42
Quach, W., Wee, H., Wichs, D.: Laconic function evaluation and applications. In: Thorup, M. (ed.) 59th Annual Symposium on Foundations of Computer Science, pp. 859–870. IEEE Computer Society Press, October 2018
Acknowledgements
We thank Ji Luo for helpful comments. Research supported by NSF grant CNS-1750795, CNS-2055510 and the JP Morgan Faculty Research Award.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
1 Electronic supplementary material
Below is the link to the electronic supplementary material.
Rights and permissions
Copyright information
© 2024 International Association for Cryptologic Research
About this paper
Cite this paper
Dong, F., Hao, Z., Mook, E., Wichs, D. (2024). Laconic Function Evaluation, Functional Encryption and Obfuscation for RAMs with Sublinear Computation. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14652. Springer, Cham. https://doi.org/10.1007/978-3-031-58723-8_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-58723-8_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-58722-1
Online ISBN: 978-3-031-58723-8
eBook Packages: Computer ScienceComputer Science (R0)