Shai Halevi’s research while affiliated with Aws Ocean Energy and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (192)


Fig. 1. The construction of the scheme E f = (Gen f , Enc f , Dec f , Eval f ) from a PKE scheme E = (Gen, Enc, Dec, Eval) with message space M and ciphertext space T and a one-way function f over M. The message space and ciphertext space of E f are M × M and (T × T ) ∪ (M × M) respectively.
Achievable CCA2 Relaxation for Homomorphic Encryption
  • Article
  • Full-text available

November 2024

·

14 Reads

·

1 Citation

Journal of Cryptology

·

Craig Gentry

·

Shai Halevi

·

Homomorphic encryption () protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers? We present a -secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called , that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy—for example, schemes in which ciphertexts can be “sanitized"—are -secure. In particular, assuming certain existing schemes are -secure, they are also -secure. For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, -security implies circular security—i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption).

Download


Security with Functional Re-encryption from CPA

November 2023

·

29 Reads

·

2 Citations

Lecture Notes in Computer Science

The notion of functional re-encryption security (funcCPA) for public-key encryption schemes was recently introduced by Akavia et al. (TCC’22), in the context of homomorphic encryption. This notion lies in between CPA security and CCA security: we give the attacker a functional re-encryption oracle instead of the decryption oracle of CCA security. This oracle takes a ciphertext ct\textsf{ct} and a function f, and returns fresh encryption of the output of f applied to the decryption of ct\textsf{ct}; in symbols, ct=Enc(f(Dec(ct)))\textsf{ct}'=\textrm{Enc}(f(\textrm{Dec}(\textsf{ct}))). More generally, we even allow for a multi-input version, where the oracle takes an arbitrary number of ciphertexts ct1,ct\textsf{ct}_1,\ldots \textsf{ct}_\ell and outputs ct=Enc(f(Dec(ct1),,Dec(ct)))\textsf{ct}' = \textrm{Enc}(f(\textrm{Dec}(\textsf{ct}_1), \ldots , \textrm{Dec}(\textsf{ct}_\ell ))). In this work we observe that funcCPA security may have applications beyond homomorphic encryption, and set out to study its properties. As our main contribution, we prove that funcCPA is “closer to CPA than to CCA”; that is, funcCPA secure encryption can be constructed in a black-box manner from CPA-secure encryption. We stress that, prior to our work, this was not known even for basic re-encryption queries corresponding to the identity function f. At the core of our result is a new technique, showing how to handle adaptive functional re-encryption queries using tools previously developed in the context of non-malleable encryption, which roughly corresponds to a single non-adaptive parallel decryption query.


Additive Randomized Encodings and Their Applications

August 2023

·

8 Reads

·

2 Citations

Lecture Notes in Computer Science

Addition of n inputs is often the easiest nontrivial function to compute securely. Motivated by several open questions, we ask what can be computed securely given only an oracle that computes the sum. Namely, what functions can be computed in a model where parties can only encode their input locally, then sum up the encodings over some Abelian group G{\mathbb G}, and decode the result to get the function output.An additive randomized encoding (ARE) of a function f(x1,,xn)f(x_1,\ldots ,x_n) maps every input xix_i independently into a randomized encoding x^i\hat{x}_i, such that i=1n\sum _{i=1}^n x^i\hat{x}_i reveals f(x1,,xn)f(x_1,\ldots ,x_n) and nothing else about the inputs. In a robust ARE, the sum of any subset of the x^i\hat{x}_i only reveals the residual function obtained by restricting the corresponding inputs. We obtain positive and negative results on ARE. In particular: Information-theoretic ARE. We fully characterize the 2-party functions f:X1×X2{0,1}f:X_1\times X_2\rightarrow \{0,1\} admitting a perfectly secure ARE. For n3n\ge 3 parties, we show a useful “capped sum” function that separates statistical security from perfect security. Computational ARE. We present a general feasibility result, showing that all functions can be computed in this model, under a standard hardness assumption in bilinear groups. We also describe a heuristic lattice-based construction. Robust ARE. We present a similar feasibility result for robust computational ARE based on ideal obfuscation along with standard cryptographic assumptions. We then describe several applications of ARE and the above results. Under a standard cryptographic assumption, our computational ARE schemes imply the feasibility of general non-interactive secure computation in the shuffle model, where messages from different parties are shuffled. This implies a general utility-preserving compiler from differential privacy in the central model to computational differential privacy in the (non-robust) shuffle model. The existence of information-theoretic robust ARE implies “best-possible” information-theoretic MPC protocols (Halevi et al., TCC 2018) and degree-2 multiparty randomized encodings (Applebaum et al., TCC 2018). This yields new positive results for specific functions in the former model, as well as a simple unifying barrier for obtaining negative results in both models.


Achievable CCA2 Relaxation for Homomorphic Encryption

January 2023

·

30 Reads

·

7 Citations

Lecture Notes in Computer Science

Homomorphic encryption (HE) protects data in-use, but can be computationally expensive. To avoid the costly bootstrapping procedure that refreshes ciphertexts, some works have explored client-aided outsourcing protocols, where the client intermittently refreshes ciphertexts for a server that is performing homomorphic computations. But is this approach secure against malicious servers?We present a CPA-secure encryption scheme that is completely insecure in this setting. We define a new notion of security, called funcCPA, that we prove is sufficient. Additionally, we show: Homomorphic encryption schemes that have a certain type of circuit privacy – for example, schemes in which ciphertexts can be “sanitized" – are funcCPA-secure. In particular, assuming certain existing HE schemes are CPA-secure, they are also funcCPA-secure. For certain encryption schemes, like Brakerski-Vaikuntanathan, that have a property that we call oblivious secret key extraction, funcCPA-security implies circular security – i.e., that it is secure to provide an encryption of the secret key in a form usable for bootstrapping (to construct fully homomorphic encryption). Namely, funcCPA-security lies strictly between CPA-security and CCA2-security (under reasonable assumptions), and has an interesting relationship with circular security, though it is not known to be equivalent.


Random-Index Oblivious RAM

January 2023

·

2 Reads

·

1 Citation

Lecture Notes in Computer Science

We study the notion of Random-index ORAM (RORAM), which is a weak form of ORAM where the Client is limited to asking for (and possibly modifying) random elements of the N-items memory, rather than specific ones. That is, whenever the client issues a request, it gets in return a pair (r,xr)(r,x_r) where rR[N]r\in _R[N] is a random index and xrx_r is the content of the r-th memory item. Then, the client can also modify the content to some new value xrx'_r.We first argue that the limited functionality of RORAM still suffices for certain applications. These include various applications of sampling (or sub-sampling) and, in particular, the very-large-scale MPC application in the setting of Benhamouda et al. [2]. Clearly, RORAM can be implemented using any ORAM scheme (by the Client selecting the random r’s by itself), but the hope is that the limited functionality of RORAM can make it faster and easier to implement than ORAM. Indeed, our main contributions are several RORAM schemes (both of the hierarchical-type and the tree-type) of lighter complexity than that of ORAM.





Practical Non-interactive Publicly Verifiable Secret Sharing with Thousands of Parties

May 2022

·

21 Reads

·

41 Citations

Lecture Notes in Computer Science

Non-interactive publicly verifiable secret sharing (PVSS) schemes enables (re-)sharing of secrets in a decentralized setting in the presence of malicious parties. A recently proposed application of PVSS schemes is to enable permissionless proof-of-stake blockchains to “keep a secret” via a sequence of committees that share that secret. These committees can use the secret to produce signatures on the blockchain’s behalf, or to disclose hidden data conditioned on consensus that some event has occurred. That application needs very large committees with thousands of parties, so the PVSS scheme in use must be efficient enough to support such large committees, in terms of both computation and communication. Yet, previous PVSS schemes have large proofs and/or require many exponentiations over large groups. We present a non-interactive PVSS scheme in which the underlying encryption scheme is based on the learning with errors (LWE) problem. While lattice-based encryption schemes are very fast, they often have long ciphertexts and public keys. We use the following two techniques to conserve bandwidth: First, we adapt the Peikert-Vaikuntanathan-Waters (PVW) encryption scheme to the multi-receiver setting, so that the bulk of the parties’ keys is a common random string. The resulting scheme yields Ω(1) amortized plaintext/ciphertext rate, where concretely the rate is ≈1/60 for 100 parties, ≈1/8 for 1000 parties, and approaching 1/2 as the number of parties grows. Second, we use bulletproofs over a DL-group of order about 256 bits to get compact proofs of correct encryption/decryption of shares. Alternating between the lattice and DL settings is relatively painless, as we equate the LWE modulus with the order of the group. We also show how to reduce the the number of exponentiations in the bulletproofs by applying Johnson-Lindenstrauss-like compression to reduce the dimension of the vectors whose properties must be verified. An implementation of our PVSS with 1000 parties showed that it is feasible even at that size, and should remain so even with one or two order of magnitude increase in the committee size.


Citations (86)


... See Remark 3. We also note that [41,Theorems 3 and 5] are special cases of [10,Theorem 7]. Another follow-up work, by Dodis, Halevi and Wichs [24], showed that funcCPA-secure encryption can be constructed in a black-box manner from CPA-secure encryption. Moreover, they the show that funcCPA-security is implied by CCA1-security (see [24,Footnote 2]). ...

Reference:

Achievable CCA2 Relaxation for Homomorphic Encryption
Security with Functional Re-encryption from CPA
  • Citing Chapter
  • November 2023

Lecture Notes in Computer Science

... In addition to reducing cipher expansion with respect to plaintext size, this CRT isomorphism enables Single Instruction, Multiple Data (SIMD) operations directly over encrypted integer vectors [26]. Many of the most recent libraries dealing with homomorphic cryptography, such as TFHE-rs 6 and TFHE [27], HElib [28], Lattigo [29], NFLlib [30], PALISADE 7 (currently updated and included inside the OpenFHE library [31]) and SEAL [32] take advantage of different variants of this tool to optimize polynomial operations. Specifically, the BFV implementation of HElib and PALISADE uses a double-CRT representation and works over general cyclotomic number fields. ...

OpenFHE: Open-Source Fully Homomorphic Encryption Library
  • Citing Conference Paper
  • November 2022

... To support large committees comprising thousands of participants, the scheme's communication and computation need to be sufficiently efficient. For this purpose, Gentry et al., based on the learning with errors problem, proposed a non-interactive publicly verifiable secret sharing scheme 35 . In 2017, Pilaram et al. 15 designed a multi-stage secret sharing scheme based on the Ajtai one-way function, and this scheme had multiple uses and was verifiable. ...

Practical Non-interactive Publicly Verifiable Secret Sharing with Thousands of Parties
  • Citing Chapter
  • May 2022

Lecture Notes in Computer Science

... To achieve 128-bit security level, ciphertexts coefficients need high-precision, i.e. up to thousands of bits [5,58], which are not natively supported by the 32-bit computational architectures in CPUs or GPUs. Naively, mapping high-precision data to low-precision computation unit requires two steps: (1) breaking high-precision coefficients into low-precision chunks supported by computation units and (2) executing multiplicative operations across all pairs of chunks from two coefficients. ...

Homomorphic Encryption Standard
  • Citing Chapter
  • January 2021

... Briefly, the randomness generated by the VRF primitive is employed to select leaders in the crucial leader election procedure which is ubiquitous in the PoS based systems. Likewise, it can used in the selection of a subset of participants (i.e., a committee) to execute cryptographic protocols (e.g., Multi-party computation (MPC) protocols in the YOSO model [21]). ...

YOSO: You Only Speak Once: Secure MPC with Stateless Ephemeral Roles
  • Citing Chapter
  • August 2021

Lecture Notes in Computer Science

... There has been a movement within the MPC research community to design non-interactive MPC protocols (NI-MPC) which only require one round of online communication [8,[37][38][39]. This concept can be thought of as a generalization of obfuscation, private simultaneous message protocols, and garbling schemes. ...

Round-Optimal Secure Multi-party Computation
  • Citing Article
  • July 2021

Journal of Cryptology

... Sparse secrets were first used in LWE-based homomorphic encryption to reduce the complexity of recryption, a part of bootstrapping [HS21], and were previously used to support bootstrapping in Gentry's original scheme [Gen09]. For certain schemes, the multiplicative depth of bootstrapping depends on the Hamming weight of the secret key [CH18]. ...

Bootstrapping for HElib
  • Citing Article
  • January 2021

Journal of Cryptology

... Potential security risks in WSN can manifest at several levels of conceptual communication. Loops, packet redirection to hostile nodes, and dependability compromises are all possible outcomes of attacks on routing and transport-layer protocols [27]. Because they can worsen congestion, transmission latency, and energy consumption, attacks that cause packet retransmissions to an excessive degree are also highly detrimental. ...

Can a Public Blockchain Keep a Secret?
  • Citing Chapter
  • December 2020

Lecture Notes in Computer Science