Skip to main content

Laconic Function Evaluation, Functional Encryption and Obfuscation for RAMs with Sublinear Computation

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2024 (EUROCRYPT 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14652))

  • 836 Accesses

Abstract

Laconic function evaluation (LFE) is a “flipped” version of fully homomorphic encryption, where the server performing the computation gets the output. The server commits itself to a function f by outputting a small digest. Clients can later efficiently encrypt inputs x with respect to the digest in much less time than computing f, and ensure that the server only decrypts f(x), but does not learn anything else about x. Prior works constructed LFE for circuits under LWE, and for Turing Machines (TMs) from indistinguishability obfuscation (iO). In this work we introduce LFE for Random-Access Machines (RAM-LFE). The server commits itself to a potentially huge database y via a short digest. Clients can later efficiently encrypt inputs x with respect to the digest and the server decrypts f(xy) for some specified RAM program f (e.g., a universal RAM), without learning anything else about x. The main advantage of RAM-LFE is that the server’s decryption run-time only scales with the RAM run-time T of the computation f(xy), which can be sublinear in both |x| and |y|. We consider a weakly efficient variant, where the client’s run-time is also allowed to scale linearly with T, but not |y|, and a fully efficient variant, where the client’s run-time must be sublinear in both T and |y|. We construct the former from doubly efficient private information retrieval (DEPIR) and laconic OT (LOT), both of which are known from RingLWE, and the latter from an additional use of iO. We then show how to leverage fully efficient RAM-LFE to also get (many-key) functional encryption for RAMs (RAM-FE) where secret keys are associate with big databases y and the decryption time is sublinear in |y|, as well as iO for RAMs where the obfuscated program contains a big database y and the evaluation time is sublinear in |y|.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    It is known that LFE schemes require a common reference/random string (CRS); for simplicity we largely omit it from the discussion in the introduction. Also, by default we require that the digest is derived deterministically given f, which is a crucial feature for some applications. In this case, the digest cannot fully hide f, and we do not require any “function hiding” security. However, [QWW18] showed a generic transformation to achieve function hiding at the cost of having a randomized procedure to generate the digest. The security guarantee implicitly assumes a semi-honest server that computes \(\textsf{dig}_f\) correctly. If the function f is public, anyone can audit the digest by re-computing it to check that it is correct, or the server can provide a SNARG (for P) that it was computed correctly. If f is secret, the server can still provide a SNARK (for NP) that f belongs to some restricted class of functions deemed safe.

  2. 2.

    Throughout the introduction we omit fixed polynomial factors in the security parameter or polyogarithmic terms. We also restrict to boolean functions with 1-bit output.

  3. 3.

    We rely on the above formulation for simplicity in the intro, but it is equivalent to formulations where the client or the server chooses the program f since we can always embed the code of the actual program to be executed inside either x or y. Our technical definition allows the client to choose the program, but this is just for notational convenience. We also require the procedure that maps y to \((\textsf{dig}_y,\widetilde{y})\) to be deterministic and do not require \(\textsf{dig}_y\) to fully hide y. However, we can generically apply the transformation of [QWW18] to fully hide y at the cost of having a randomized procedure.

  4. 4.

    In particular, consider the RAM program f(xy) that interprets \(x = (i,b)\) as an index i and a bit b and outputs \(y[i] \oplus b\) denoting the i’th location of y one-time padded with b. This program runs in time \(T=O(1)\). Using a RAM-LFE for f we can construct a 3-round DEPIR as follows. The server preprocesses y to derive \(\textsf{dig}_y, \widetilde{y}\). To privately retrieve y[i], the server/client run the following 3 round protocol: In the first round, the server sends \(\textsf{dig}_y\) to the client, in the second round the client encrypts \(x = (i,b)\) with \(b \leftarrow \{0,1\}\) chosen uniformly at random under the LFE and sends the ciphertext, and in the third round the server decrypts the ciphertext and sends \(y[i] \oplus b\) to the client who removes the pad to recover y[i]. LFE security ensures that the servers view can be simulated given \(y[i] \oplus b\), which is uniformly random and therefore reveals no information about the client’s index i.

  5. 5.

    Garbled RAM has weaker functionality in that the database y must be preprocessed by the client, but then provides stronger security by ensuring that y is hidden from the server. However, it is easy to also use RAM-LFE to achieve the stronger security guarantee by having the client encrypt the database y via one-time pad derived from a PRF, and then include the PRF key as part of the encrypted input x and have the program execution use the PRF to decrypt each bit it reads from the database.

  6. 6.

    We can simply think of f as just being a universal RAM and all the actual code as being contained in y.

  7. 7.

    Note that we cannot achieve sublinear run-time in |x| since it is not preprocessed in this setting. Hence if evaluation reads only a subset of the positions of x that would reveal additional information about the computation.

  8. 8.

    As in Sect. 5.1, we assume without loss of generality that the value \(\eta \) is the same for both the ORAM and DEPIR schemes, potentially padding the one that needs fewer accesses with arbitrary dummy accesses.

References

  1. Ananth, P., Chung, K.-M., Fan, X., Qian, L.: Collusion-resistant functional encryption for RAMs. In: Agrawal, S., Lin, D. (eds.) ASIACRYPT 2022, Part I. LNCS, vol. 13791, pp. 160–194. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22963-3_6

    Chapter  Google Scholar 

  2. Agrawal, S., Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption: new perspectives and lower bounds. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 500–518. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_28

    Chapter  Google Scholar 

  3. Ananth, P., Lombardi, A.: Succinct garbling schemes from functional encryption through a local simulation paradigm. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 455–472. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_17

    Chapter  Google Scholar 

  4. Bitansky, N., et al.: Indistinguishability obfuscation for ram programs and succinct randomized encodings. SIAM J. Comput. 47(3), 1123–1210 (2018)

    Article  MathSciNet  Google Scholar 

  5. Cho, C., Döttling, N., Garg, S., Gupta, D., Miao, P., Polychroniadou, A.: Laconic oblivious transfer and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 33–65. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_2

    Chapter  Google Scholar 

  6. Canetti, R., Holmgren, J.: Fully succinct garbled RAM. In: Sudan, M. (ed.) ITCS 2016: 7th Conference on Innovations in Theoretical Computer Science, pp. 169–178. Association for Computing Machinery, January 2016

    Google Scholar 

  7. Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Succinct garbling and indistinguishability obfuscation for RAM programs. In: Servedio, R.A., Rubinfeld, R. (eds.) 47th Annual ACM Symposium on Theory of Computing, pp. 429–437. ACM Press, June 2015

    Google Scholar 

  8. Döttling, N., Gajland, P., Malavolta, G.: Laconic function evaluation for turing machines. In: Boldyreva, A., Kolesnikov, V. (eds.) PKC 2023, Part II. LNCS, vol. 13941, pp. 606–634. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-31371-4_21

    Chapter  Google Scholar 

  9. Dong, F., Hao, Z., Mook, E., Wichs, D.: Laconic function evaluation, functional encryption and obfuscation for rams with sublinear computation. Cryptology ePrint Archive, Paper 2024/068 (2024). https://eprint.iacr.org/2024/068

  10. Gentry, C., Halevi, S., Lu, S., Ostrovsky, R., Raykova, M., Wichs, D.: Garbled RAM revisited. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 405–422. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_23

    Chapter  Google Scholar 

  11. Gentry, C., Halevi, S., Raykova, M., Wichs, D.: Outsourcing private RAM computation. In: 55th Annual Symposium on Foundations of Computer Science, pp. 404–413. IEEE Computer Society Press, October 2014

    Google Scholar 

  12. Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th Annual ACM Symposium on Theory of Computing, pp. 555–564. ACM Press, June 2013

    Google Scholar 

  13. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious rams. J. ACM 43(3), 431–473 (1996)

    Article  MathSciNet  Google Scholar 

  14. Garg, S., Ostrovsky, R., Srinivasan, A.: Adaptive garbled RAM from laconic oblivious transfer. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part III. LNCS, vol. 10993, pp. 515–544. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96878-0_18

    Chapter  Google Scholar 

  15. Grauman, K.: Efficiently searching for similar images. Commun. ACM 53(6), 84–94 (2010)

    Google Scholar 

  16. Garg, S., Srinivasan, A.: Adaptively secure garbling with near optimal online complexity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 535–565. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_18

    Chapter  Google Scholar 

  17. Garg, S., Srinivasan, A.: A simple construction of iO for turing machines. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 425–454. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_16

    Chapter  Google Scholar 

  18. Hamlin, A., Holmgren, J., Weiss, M., Wichs, D.: On the plausibility of fully homomorphic encryption for RAMs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part I. LNCS, vol. 11692, pp. 589–619. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_21

    Chapter  Google Scholar 

  19. Jain, A., Lin, H., Luo, J.: On the optimal succinctness and efficiency of functional encryption and attribute-based encryption. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part III. LNCS, vol. 14006, pp. 479–510. Springer, Heidelberg (2023). https://doi.org/10.1007/978-3-031-30620-4_16

    Chapter  Google Scholar 

  20. Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from well-founded assumptions. In: Khuller, S., Williams, V.V. (eds.) 53rd Annual ACM Symposium on Theory of Computing, pp. 60–73. ACM Press, June 2021

    Google Scholar 

  21. Jain, A., Lin, H., Sahai, A.: Indistinguishability obfuscation from LPN over \(\mathbb{F} _{p}\), DLIN, and PRGs in \({NC}^0\). In: Dunkelman, O., Dziembowski, S. (eds.) EUROCRYPT 2022, Part I. LNCS, vol. 13275, pp. 670–699. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-06944-4_23

    Chapter  Google Scholar 

  22. Lin, W.-K., Mook, E., Wichs, D.: Doubly efficient private information retrieval and fully homomorphic ram computation from ring LWE. Cryptology ePrint Archive, Paper 2022/1703 (2022). https://eprint.iacr.org/2022/1703

  23. Lu, S., Ostrovsky, R.: How to garble RAM programs? In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 719–734. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_42

    Chapter  Google Scholar 

  24. Quach, W., Wee, H., Wichs, D.: Laconic function evaluation and applications. In: Thorup, M. (ed.) 59th Annual Symposium on Foundations of Computer Science, pp. 859–870. IEEE Computer Society Press, October 2018

    Google Scholar 

Download references

Acknowledgements

We thank Ji Luo for helpful comments. Research supported by NSF grant CNS-1750795, CNS-2055510 and the JP Morgan Faculty Research Award.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Fangqi Dong .

Editor information

Editors and Affiliations

1 Electronic supplementary material

Below is the link to the electronic supplementary material.

Supplementary material 1 (pdf 454 KB)

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Dong, F., Hao, Z., Mook, E., Wichs, D. (2024). Laconic Function Evaluation, Functional Encryption and Obfuscation for RAMs with Sublinear Computation. In: Joye, M., Leander, G. (eds) Advances in Cryptology – EUROCRYPT 2024. EUROCRYPT 2024. Lecture Notes in Computer Science, vol 14652. Springer, Cham. https://doi.org/10.1007/978-3-031-58723-8_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-58723-8_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-58722-1

  • Online ISBN: 978-3-031-58723-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics