On hiding information from an oracle

Abstract

We consider the problem of computing with encrypted data. Player A wishes to know the value f(x) for some x but lacks the power to compute it. Player B has the power to compute f an is willing to send f(y) to A if she sends him y, for any y. Informally, an encryption scheme for the problem f is a method by which A, using her inferior resources, can transform the cleartext instancex into a encrypted instancey, obtain f(y) from B, and infer ⊂x) from f(y) in such a way that B cannot infer x from y. When such an encryption scheme exists, we say that f is encryptable. The framework defined in this paper enables us to prove precise statements about what an encrypted instance hides and what it leaks, in an informationtheoretic sense. Our definitions are cast in the language of probability theory and do not involve assumptions such as the intractability of factoring or the existence of one-way functions. We use our framework to describe encryption schemes for some well-known functions. We also consider the following generalization of encryption schemes. Player A, who is limited to probabilistic polynomial time, wishes to guess the value f(x) which probability at least $\text{1}\text{2}\text{+ 1/|x|}{}^{\mathrm{c}}$ of being correct, for some constant c. Player B can compute any function and generate arbitrary probability distributions. Players A and B can interact for a polynomial.