[BGK^{+}18] 
Multiparty NonInteractive Key Exchange and More From Isogenies on Elliptic Curves
MATHCRYPT 2018
[PDF]
[ePrint]
We describe a framework for constructing an efficient noninteractive key exchange (NIKE) protocol for n parties for any n >= 2. Our approach is based on the problem of computing
isogenies between isogenous elliptic curves, which is believed to be difficult. We do not obtain a working protocol because of a missing step that is currently an open problem.
What we need to complete our protocol is an efficient algorithm that takes as input an abelian variety presented as a product of isogenous elliptic curves, and outputs an isomorphism
invariant of the abelian variety.
Our framework builds a cryptographic invariant map, which is a new primitive closely related to a cryptographic multilinear map, but whose range does not necessarily have a group
structure. Nevertheless, we show that a cryptographic invariant map can be used to build several cryptographic primitives, including NIKE, that were previously constructed from
multilinear maps and indistinguishability obfuscation.
@inproceedings{BGKLSSTZ18, author = {Dan Boneh and Darren Glass and Daniel Krashen and Kristin Lauter and Shahed Sharif and Alice Silverberg and Mehdi Tibouchi and Mark Zhandry}, title = {Multiparty NonInteractive Key Exchange and More From Isogenies on Elliptic Curves}, booktitle = {Proceedings of MATHCRYPT 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2018/665}}, year = {2018} }

[CLO^{+}18] 
ParameterHiding Order Revealing Encryption
[PDF]
[ePrint]
Orderrevealing encryption (ORE) is a popular primitive for outsourcing encrypted databases, as it allows for efficiently performing range queries over encrypted data.
Unfortunately, a series of works, starting with Naveed et al. (CCS 2015), have shown that when the adversary has a good estimate of the distribution of the data, ORE provides
little protection. In this work, we consider the case that the database entries are drawn identically and independently from a distribution of known shape, but for which the
mean and variance are not (and thus the attacks of Naveed et al. do not apply). We define a new notion of security for ORE, called parameterhiding ORE, which maintains the
secrecy of these parameters. We give a construction of ORE satisfying our new definition from bilinear maps.
@misc{CLOZZ18, author = {David Cash and FengHao Liu and Adam O'Neill and Mark Zhandry and Cong Zhang}, title = {ParameterHiding Order Revealing Encryption}, misc = {Full version available at \url{https://eprint.iacr.org/2018/698}}, year = {2018} }

[BGMZ18] 
Preventing Zeroizing Attacks on GGH15
By  James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry 
[PDF]
[ePrint]
The GGH15 multilinear maps have served as the foundation for a number of cuttingedge cryptographic proposals. Unfortunately, many schemes built on GGH15 have been explicitly
broken by socalled "zeroizing attacks," which exploit leakage from honest zerotest queries. The precise settings in which zeroizing attacks are possible have remained unclear.
Most notably, none of the current indistinguishability obfuscation (iO) candidates from GGH15 have any formal security guarantees against zeroizing attacks.
In this work, we demonstrate that all known zeroizing attacks on GGH15 implicitly construct algebraic relations between the results of zerotesting and the encoded plaintext
elements. We then propose a "GGH15 zeroizing model" as a new general framework which greatly generalizes known attacks.
Our second contribution is to describe a new GGH15 variant, which we formally analyze in our GGH15 zeroizing model. We then construct a new iO candidate using our multilinear
map, which we prove secure in the GGH15 zeroizing model. This implies resistance to all known zeroizing strategies. The proof relies on the Branching Program UnAnnihilatability
(BPUA) Assumption of Garg et al. [TCC 16B] (which is implied by PRFs in NC^1 secure against P/Poly) and the complexitytheoretic pBounded Speedup Hypothesis of Miles et al.
[ePrint 14] (a strengthening of the Exponential Time Hypothesis).
@misc{BGMZ18, author = {James Bartusek and Jiaxin Guan and Fermi Ma and Mark Zhandry}, title = {Preventing Zeroizing Attacks on GGH15}, misc = {Full version available at \url{https://eprint.iacr.org/2018/511}}, year = {2018} }

[Zha18] 
How to Record Quantum Queries, and Applications to Quantum Indifferentiability
[PDF]
[ePrint]
The quantum random oracle model (QROM) has become the standard model in which to prove the postquantum security of randomoraclebased constructions. Unfortunately,
none of the known proof techniques allow the reduction to record information about the adversary`s queries, a crucial feature of many classical ROM proofs, including all
proofs of indifferentiability for hash function domain extension. In this work, we give a new QROM proof technique that overcomes this "recording barrier". Our central
observation is that when viewing the adversary`s query and the oracle itself in the Fourier domain, an oracle query switches from writing to the adversary`s space to
writing to the oracle itself. This allows a reduction to simulate the oracle by simply recording information about the adversary`s query in the Fourier domain.
We then use this new technique to show the indifferentiability of the MerkleDamgard domain extender for hash functions. Given the threat posed by quantum computers and
the push toward quantumresistant cryptosystems, our work represents an important tool for efficient postquantum cryptosystems.
@misc{Zha18, author = {Mark Zhandry}, title = {How to Record Quantum Queries, and Applications to Quantum Indifferentiability}, misc = {Full version available at \url{https://eprint.iacr.org/2018/276}}, year = {2018} }

[LZ17] 
Decomposable Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness
By  Qipeng Liu and Mark Zhandry 
TCC 2017
[PDF]
[ePrint]
There is some evidence that indistinguishability obfuscation (iO) requires either exponentially many assumptions or (sub)exponentially hard assumptions, and indeed, all
known ways of building obfuscation suffer one of these two limitations. As such, any application built from iO suffers from these limitations as well. However, for most
applications, such limitations do not appear to be inherent to the application, just the approach using iO. Indeed, several recent works have shown how to base applications
of iO instead on functional encryption (FE), which can in turn be based on the polynomial hardness of just a few assumptions. However, these constructions are quite
complicated and recycle a lot of similar techniques.
In this work, we unify the results of previous works in the form of a weakened notion of obfuscation, called Decomposable Obfuscation. We show (1) how to build decomposable obfuscation from
functional encryption, and (2) how to build a variety of applications from decomposable obfuscation, including all of the applications already known from FE. The construction in (1)
hides most of the difficult techniques in the prior work, whereas the constructions in (2) are much closer to the comparatively simple constructions from iO. As such,
decomposable obfuscation represents a convenient new platform for obtaining more applications from polynomial hardness.
@inproceedings{LZ17, author = {Qipeng Liu and Mark Zhandry}, title = {Decomposable Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness}, booktitle = {Proceedings of TCC 2017}, misc = {Full version available at \url{https://eprint.iacr.org/2017/209}}, year = {2017} }

[Zha17] 
Quantum Lightning Never Strikes the Same State Twice
[PDF]
[ePrint]
Public key quantum money can be seen as a version of the quantum nocloning theorem that holds even when the quantum states can be verified by the adversary. In this work,
investigate quantum lightning, a formalization of "collisionfree quantum money" defined by Lutomirski et al. [ICS`10], where nocloning holds even when the
adversary herself generates the quantum state to be cloned. We then study quantum money and quantum lightning, showing the following results:
• We demonstrate the usefulness of quantum lightning beyond quantum money by showing several potential applications, such as generating random strings with a proof of
entropy, to completely decentralized cryptocurrency without a blockchain, where transactions is instant and local.
• We give winwin results for quantum money/lightning, showing that either signatures/hash functions/commitment schemes meet very strong recently proposed notions of
security, or they yield quantum money or lightning. Given the difficulty in constructing public key quantum money, this gives some indication that natural schemes do attain
strong security guarantees.
• We construct quantum lightning under the assumed multicollision resistance of random degree2 systems of polynomials. Our construction is inspired by our winwin
result for hash functions, and yields the first plausible standard model instantiation of a \emph{noncollapsing} collision resistant hash function. This improves on a
result of Unruh [Eurocrypt`16] that requires a quantum oracle.
•We show that instantiating the quantum money scheme of Aaronson and Christiano [STOC`12] with indistinguishability obfuscation that is secure against quantum
computers yields a secure quantum money scheme. This construction can be seen as an instance of our winwin result for signatures, giving the first separation between two
security notions for signatures from the literature.
Thus, we provide the first constructions of public key quantum money from several cryptographic assumptions. Along the way, we develop several new techniques including a
new precise variant of the nocloning theorem.
@misc{Zha17, author = {Mark Zhandry}, title = {Quantum Lightning Never Strikes the Same State Twice}, misc = {Full version available at \url{https://eprint.iacr.org/2017/1080}}, year = {2017} }

[ZZ17] 
Impossibility of OrderRevealing Encryption in Idealized Models
By  Mark Zhandry and Cong Zhang 
[PDF]
[ePrint]
An OrderRevealing Encryption (ORE) scheme gives a public procedure by which two ciphertext can be compared to reveal the order of their underlying plaintexts. The ideal
security notion for ORE is that only the order is revealed — anything else, such as the distance between plaintexts, is hidden. The only known constructions of ORE
achieving such ideal security are based on cryptographic multilinear maps, and are currently too impractical for realworld applications. In this work, we give evidence
that building ORE from weaker tools may be hard. Indeed, we show blackbox separations between ORE and most symmetrickey primitives, as well as public key encryption and
anything else implied by generic groups in a blackbox way. Thus, any construction of ORE must either (1) achieve weaker notions of security, (2) be based on more complicated
cryptographic tools, or (3) require nonblackbox techniques. This suggests that any ORE achieving ideal security will likely be somewhat inefficient.
Central to our proof is an proof of impossibility for something we call information theoretic ORE, which has connections to tournament graphs and a theorem by Erdoös.
This impossibility proof will be useful for proving other black box separations for ORE.
@misc{ZZ17, author = {Mark Zhandry and Cong Zhang}, title = {Impossibility of OrderRevealing Encryption in Idealized Models}, misc = {Full version available at \url{https://eprint.iacr.org/2017/1001}}, year = {2017} }

[MZ17b] 
New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks
[PDF]
[ePrint]
We devise the first weak multilinear map model for CLT13 multilinear maps (Coron et al., CRYPTO 2013) that captures all known classical polynomialtime attacks on the maps.
We then show important applications of our model. First, we show that in our model, several existing obfuscation and orderrevealing encryption schemes, when instantiated with
CLT13 maps, are secure against known attacks under a mild algebraic complexity assumption used in prior work. These are schemes that are actually being implemented for
experimentation. However, until our work, they had no rigorous justification for security.
Next, we turn to building constant degree multilinear maps on top of CLT13 for which there are no known attacks. Precisely, we prove that our scheme achieves the ideal security
notion for multilinear maps in our weak CLT13 model, under a much stronger variant of the algebraic complexity assumption used above. Our multilinear maps do not achieve the
full functionality of multilinear maps as envisioned by Boneh and Silverberg (Contemporary Mathematics, 2003), but do allow for rerandomization and for encoding arbitrary
plaintext elements.
@misc{MZ17b, author = {Fermi Ma and Mark Zhandry}, title = {New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks}, misc = {Full version available at \url{https://eprint.iacr.org/2017/946}}, year = {2017} }

[GPSZ17] 
Breaking the SubExponential Barrier in Obfustopia
EUROCRYPT 2017
[PDF]
[ePrint]
Indistinguishability obfuscation (iO) has emerged as a surprisingly powerful notion. Almost all known cryptographic primitives can be constructed from general purpose iO and
other minimalistic assumptions such as oneway functions. The primary challenge in this direction of research is to develop novel techniques for using iO since iO by itself
offers virtually no protection to secret information in the underlying programs. When dealing with complex situations, often these techniques have to consider an exponential
number of hybrids (usually one per input) in the security proof. This results in a subexponential loss in the security reduction. Unfortunately, this scenario is becoming more
and more common and appears to be a fundamental barrier to current techniques.
In this work, we explore the possibility of getting around this subexponential loss barrier
in constructions based on iO as well as the weaker notion of functional encryption (FE). Towards this goal, we achieve the following results:
• We construct trapdoor oneway permutations from polynomiallyhard iO (and standard oneway permutations). This improves upon the recent result of Bitansky, Paneth, and
Wichs (TCC 2016) which requires iO of subexponential strength.
• We present a different construction of trapdoor oneway permutations based on standard, polynomiallysecure, publickey functional encryption. This qualitatively improves
upon our first result since FE is a weaker primitive than iO — it can be based on polynomiallyhard assumptions on multilinear maps whereas iO inherently seems to requires
assumptions of subexponential strength.
• We present a construction of universal samplers also based only on polynomiallysecure publickey FE. Universal samplers, introduced in the work of Hofheinz, Jager, Khurana,
Sahai, Waters and Zhandry (EPRINT 2014), is an appealing notion which allows a single trusted setup for any protocol. As an application of this result, we construct a noninteractive
multiparty key exchange (NIKE) protocol for an unbounded number of users without a trusted setup. Prior to this work, such constructions were only known from indistinguishability
obfuscation.
In obtaining our results, we build upon and significantly extend the techniques of Garg, Pandey, and Srinivasan (EPRINT 2015) introduced in the context of reducing PPADhardness
to polynomiallysecure iO and FE.
@inproceedings{GPSZ17, author = {Sanjam Garg and Omkant Pandey and Akshayaram Srinivasan and Mark Zhandry}, title = {Breaking the SubExponential Barrier in Obfustopia}, booktitle = {Proceedings of EUROCRYPT 2017}, misc = {Full version available at \url{https://eprint.iacr.org/2016/102}}, year = {2017} }

[MZ17a] 
Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption
[PDF]
[ePrint]
We define the concept of an encryptor combiner. Roughly, such a combiner takes as input n public keys for a public key encryption scheme, and produces a new combined
public key. Anyone knowing a secret key for one of the input public keys can learn the secret key for the combined public key, but an outsider who just knows the input
public keys (who can therefore compute the combined public key for himself) cannot decrypt ciphertexts from the combined public key. We actually think of public keys
more generally as encryption procedures, which can correspond to, say, encrypting to a particular identity under an IBE scheme or encrypting to a set of attributes
under an ABE scheme.
We show that encryptor combiners satisfying certain natural properties can give natural constructions of multiparty noninteractive key exchange, lowoverhead
broadcast encryption, and hierarchical identitybased encryption. We then show how to construct two different encryptor combiners. Our first is built from universal
samplers (which can in turn be built from indistinguishability obfuscation) and is sufficient for each application above, in some cases improving on existing
obfuscationbased constructions. Our second is built from lattices, and is sufficient for hierarchical identitybased encryption. Thus, encryptor combiners
serve as a new abstraction that (1) is a useful tool for designing cryptosystems, (2) unifies constructing hierarchical IBE from vastly different assumptions,
and (3) provides a target for instantiating obfuscation applications from better tools.
@misc{MZ17a, author = {Fermi Ma and Mark Zhandry}, title = {Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption}, misc = {Full version available at \url{https://eprint.iacr.org/2017/152}}, year = {2017} }

[HJK^{+}16] 
How to Generate and use Universal Samplers
AsiaCrypt 2016
[PDF]
[ePrint]
The random oracle is an idealization that allows to model a hash function as an oracle that will output a uniformly random
string given an input. We introduce the notion of universal sampler scheme as a method sampling securely from
arbitrary distributions.
We first motivate such a notion by describing several applications including generating
the trusted parameters for many schemes from just a single trusted setup. We further demonstrate the versatility of universal
sampler by showing how they give rise to applications such as identitybased encryption and multiparty key exchange.
We give a solution in the random oracle model based on indistinguishability obfuscation. At the heart of our construction and
proof is a new technique we call "delayed backdoor programming".
@inproceedings{HJKSWZ16, author = {Dennis Hofheinz and Tibor Jager and Dakshita Khurana and Amit Sahai and Brent Waters and Mark Zhandry}, title = {How to Generate and use Universal Samplers}, booktitle = {Proceedings of AsiaCrypt 2016}, misc = {Full version available at \url{http://eprint.iacr.org/2014/507}}, year = {2016} }

[Zha16c] 
A Note on QuantumSecure PRPs
[PDF]
[ePrint]
We show how to construct pseudorandom permutations (PRPs) that remain secure even if the adversary can query the permutation on a quantum superposition of inputs.
Such PRPs are called quantumsecure. Our construction combines a quantumsecure pseudorandom function together with constructions of classical
format preserving encryption. By combining known results, we obtain the first quantumsecure PRP in this model whose security relies only on the existence of oneway
functions. Previously, to the best of the author`s knowledge, quantum security of PRPs had to be assumed, and there were no prior security reductions to simpler
primitives, let alone oneway functions.
@misc{Zha16c, author = {Mark Zhandry}, title = {A Note on QuantumSecure PRPs}, misc = {Full version available at \url{https://eprint.iacr.org/2016/1076}}, year = {2016} }

[KMUZ16] 
Strong Hardness of Privacy from Weak Traitor Tracing
TCC 2016B
[PDF]
[ePrint]
Despite much study, the computational complexity of differential privacy remains poorly understood. In this paper we consider the computational complexity of
accurately answering a family Q of statistical queries over a data universe X under differential privacy. A statistical query
on a dataset D∈X^{n} asks "what fraction of the elements of D satisfy a given predicate p on X?" Dwork et al. (STOC`09) and Boneh and Zhandry
(CRYPTO`14) showed that if both Q and X are of polynomial size, then there is an efficient differentially private algorithm that accurately answers all the
queries, and if both Q and X are exponential size, then under a plausible assumption, no efficient algorithm exists.
We show that, under the same assumption, if either the number of queries or the data universe is of exponential size, then there is no
differentially private algorithm that answers all the queries. Specifically, we prove that if oneway functions and indistinguishability obfuscation exist, then:
• For every n, there is a family Q of O(n^{7}) queries on a data universe X of size 2^{d} such that no poly(n,d) time differentially private
algorithm takes a dataset D∈X^{n} and outputs accurate answers to every query in Q.
•For every n, there is a family Q of 2^{d} queries on a data universe X of size O(n^{7}) such that no poly(n,d) time differentially private
algorithm takes a dataset D∈X^{n} and outputs accurate answers to every query in Q.
In both cases, the result is nearly quantitatively tight, since there is an efficient differentially private algorithm that answers Ω(n^{2}) queries
on an exponential size data universe, and one that answers exponentially many queries on a data universe of size Ω(n^{2}).
Our proofs build on the connection between hardness results in differential privacy and traitortracing schemes (Dwork et al., STOC`09; Ullman, STOC`13).
We prove our hardness result for a polynomial size query set (resp., data universe) by showing that they follow from the existence of a special type of
traitortracing scheme with very short ciphertexts (resp., secret keys), but very weak security guarantees, and then constructing such a scheme.
@inproceedings{KMUZ16, author = {Lucas Kowalczyk and Tal Malkin and Jonathan Ullman and Mark Zhandry}, title = {Strong Hardness of Privacy from Weak Traitor Tracing}, booktitle = {Proceedings of TCC 2016B}, misc = {Full version available at \url{https://eprint.iacr.org/2016/721}}, year = {2016} }

[GMM^{+}16] 
Secure Obfuscation in a Weak Multilinear Map Model
TCC 2016B
[PDF]
[ePrint]
All known candidate indistinguishibility obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security
available for iO candidates were in a generic model that only allows "honest" use of the multilinear map. Most notably, in this model the zerotest procedure
only reveals whether an encoded element is 0, and nothing more.
However, this model is inadequate: there have been several attacks on multilinear maps
that exploit extra information revealed by the zerotest procedure. In particular, Miles, Sahai and Zhandry [Crypto`16] recently gave a polynomialtime attack
on several iO candidates when instantiated with the multilinear maps of Garg, Gentry, and Halevi [Eurocrypt`13], and also proposed a new "weak multilinear map
model" that captures all known polynomialtime attacks on GGH13.
In this work, we give a new iO candidate which can be seen as a small modification or
generalization of the original candidate of Garg, Gentry, Halevi, Raykova, Sahai, and Waters [FOCS`13]. We prove its security in the weak multilinear map model,
thus giving the first iO candidate that is provably secure against all known polynomialtime attacks on GGH13. The proof of security relies on a new assumption
about the hardness of computing annihilating polynomials, and we show that this assumption is implied by the existence of pseudorandom functions in NC^1.
@inproceedings{GMMSSZ16, author = {Sanjam Garg and Eric Miles and Pratyay Mukherjee and Amit Sahai and Akshayaram Srinivasan and Mark Zhandry}, title = {Secure Obfuscation in a Weak Multilinear Map Model}, booktitle = {Proceedings of TCC 2016B}, misc = {Full version available at \url{https://eprint.iacr.org/2016/817}}, year = {2016} }
Merged version of [BMS16] and [MSZ16]

[GYZ16] 
New Security Notions and Feasibility Results for Authentication of Quantum Data
QCrypt 2016
[PDF]
[arXiv]
We give a new class of security definitions for authentication in the quantum setting. Our definitions capture and strengthen several existing definitions,
including superposition attacks on classical authentication, as well as full authentication of quantum data. We argue that our definitions resolve some of
the shortcomings of existing definitions.
We then give several feasibility results for our strong definitions. As a consequence, we obtain several interesting results, including:
(1) the classical CarterWegman authentication scheme with 3universal hashing is secure against superposition attacks, as well as adversaries with quantum
side information;
(2) quantum authentication where the entire key can be reused if verification is successful;
(3) conceptually simple constructions of quantum authentication; and
(4) a conceptually simple QKD protocol.
@inproceedings{GYZ16, author = {Sumegha Garg and Henry Yuen and Mark Zhandry}, title = {New Security Notions and Feasibility Results for Authentication of Quantum Data}, booktitle = {Proceedings of QCrypt 2016}, misc = {Full version available at \url{https://arxiv.org/abs/1607.07759}}, year = {2016} }

[Zha16b] 
The Magic of ELFs
CRYPTO 2016 (Best Young Researcher Award)
[PDF]
[ePrint]
[slides]
We introduce the notion of an Extremely Lossy Function (ELF). An ELF is a family of functions with an image size that is tunable anywhere from injective to having a
polynomialsized image. Moreover, for any efficient adversary, for a sufficiently large polynomial r (necessarily chosen to be larger than the running time of the adversary),
the adversary cannot distinguish the injective case from the case of image size r.
We develop a handful of techniques for using ELFs, and show that such extreme lossiness is useful for instantiating random oracles in several settings. In particular, we show
how to use ELFs to build secure point function obfuscation with auxiliary input, as well as polynomiallymany hardcore bits for any oneway function. Such applications were
previously known from strong knowledge assumptions — for example polynomiallymany hardcore bits were only know from differing inputs obfuscation, a notion whose
plausibility has been seriously challenged. We also use ELFs to build a simple hash function with output intractability, a new notion we define that may be useful for
generating common reference strings.
Next, we give a construction of ELFs relying on the exponential hardness of the decisional DiffieHellman problem, which is plausible in elliptic curve groups. Combining
with the applications above, our work gives several practical constructions relying on qualitatively different — and arguably better — assumptions than prior works.
@inproceedings{Zha16b, author = {Mark Zhandry}, title = {The Magic of ELFs}, booktitle = {Proceedings of CRYPTO 2016}, misc = {Full version available at \url{https://eprint.iacr.org/2016/114}}, year = {2016} }

[MSZ16b] 
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
CRYPTO 2016
[PDF]
[ePrint]

[MSZ16a] 
Secure Obfuscation in a Weak Multilinear Map Model: A Simple Construction Secure Against All Known Attacks
[PDF]
[ePrint]
All known candidate indistinguishibility obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security available
for iO candidates were in a generic model that only allows "honest" use of the multilinear map. Most notably, in this model the zerotest procedure only reveals
whether an encoded element is 0, and nothing more.
However, this model is inadequate: there have been several attacks on multilinear maps that exploit extra information revealed by the zerotest procedure. In
particular, the authors [Crypto`16] recently gave a polynomialtime attack on several iO candidates when instantiated with the multilinear maps of Garg, Gentry,
and Halevi [Eurocrypt`13], and also proposed a new "weak multilinear map model" that captures all known polynomialtime attacks on GGH13.
Subsequent to those attacks, Garg, Mukherjee, and Srinivasan [ePrint`16] gave a beautiful new candidate iO construction, using a new variant of the GGH13
multilinear map candidate, and proved its security in the weak multilinear map model assuming an explicit PRF in NC^1.
In this work, we give a simpler candidate iO construction, which can be seen as a small modification or generalization of the original iO candidate of Garg,
Gentry, Halevi, Raykova, Sahai, and Waters [FOCS`13], and we prove its security in the weak multilinear map model. Our work has a number of benefits over
that of GMS16.
• Our construction and analysis are simpler. In particular, the proof of our security theorem is 4 pages, versus 15 pages in GMS16.
• We do not require any change to the original GGH13 multilinear map candidate.
• We prove the security of our candidate under a more general assumption. One way that our assumption can be true is if there exists a PRF in NC^1.
• GMS16 required an explicit PRF in NC^1 to be "hardwired" into their obfuscation candidate. In contrast, our scheme does not require any such hardwiring.
In fact, roughly speaking, our obfuscation candidate will depend only on the minimal size of such a PRF, and not on any other details of the PRF.
@misc{MSZ16a, author = {Eric Miles and Amit Sahai and Mark Zhandry}, title = {Secure Obfuscation in a Weak Multilinear Map Model: A Simple Construction Secure Against All Known Attacks}, misc = {Full version available at \url{https://eprint.iacr.org/2016/588}}, year = {2016} }

[BMSZ16] 
PostZeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits
EUROCRYPT 2016
[PDF]
[ePrint]
[slides]
Recent devastating attacks by Cheon et al.~[Eurocrypt`15] and others have highlighted significant gaps in our intuition about security in candidate
multilinear map schemes, and in candidate obfuscators that use them. The new attacks, and some that were previously known, are typically called
"zeroizing" attacks because they all crucially rely on the ability of the adversary to create encodings of 0.
In this work, we initiate the study of postzeroizing obfuscation, and we present a construction for the special case of evasive functions. We
show that our obfuscator survives all known attacks on the underlying multilinear maps, by proving that no encodings of 0 can be created by
a genericmodel adversary. Previous obfuscators (for both evasive and general functions) were either analyzed in a lessconservative "prezeroizing"
model that does not capture recent attacks, or were proved secure relative to assumptions that are now known to be false.
To prove security, we introduce a new technique for analyzing polynomials over multilinear map encodings. This technique shows that the types of
encodings an adversary can create are much more restricted than was previously known, and is a crucial step toward achieving postzeroizing security.
We also believe the technique is of independent interest, as it yields efficiency improvements for existing schemes.
@inproceedings{BMSZ16, author = {Saikrishna Badrinarayanan and Eric Miles and Amit Sahai and Mark Zhandry}, title = {PostZeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits}, booktitle = {Proceedings of EUROCRYPT 2016}, misc = {Full version available at \url{http://eprint.iacr.org/2015/167}}, year = {2016} }

[NWZ16] 
Anonymous Traitor Tracing: How to Embed Arbitrary Information in a Key
EUROCRYPT 2016
[PDF]
[ePrint]

[BZ16] 
OrderRevealing Encryption and the Hardness of Private Learning
TCC 2016A
[PDF]
[arXiv]
An orderrevealing encryption scheme gives a public procedure by which two ciphertexts can be compared to reveal the ordering of their underlying
plaintexts. We show how to use orderrevealing encryption to separate computationally efficient PAC learning from efficient (ε,δ)differentially
private PAC learning. That is, we construct a concept class that is efficiently PAC learnable, but for which every efficient learner fails to be differentially
private. This answers a question of Kasiviswanathan et al. (FOCS `08, SIAM J. Comput. `11).
To prove our result, we give a generic transformation from an orderrevealing encryption scheme into one with strongly correct comparison, which enables the
consistent comparison of ciphertexts that are not obtained as the valid encryption of any message. We believe this construction may be of independent interest.
@inproceedings{BZ16, author = {Mark Bun and Mark Zhandry}, title = {OrderRevealing Encryption and the Hardness of Private Learning}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://arxiv.org/abs/1505.00388}}, year = {2016} }

[GGHZ16] 
Functional Encryption without Obfuscation
TCC 2016A
[PDF]
[ePrint]
[slides]
Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in
turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but
with an exponential loss in the security reduction. Additionally these schemes are proved in an unrealistic selective security
model, where the adversary is forced to specify its target before seeing the public parameters. For these constructions, full
security can be obtained but at the cost of an exponential loss in the security reduction.
In this work, we overcome the above limitations and realize a fully secure functional encryption scheme without using indistinguishability
obfuscation. Specifically the security of our scheme relies only on the polynomial hardness of simple assumptions on multilinear maps.
@inproceedings{GGHZ16, author = {Sanjam Garg and Craig Gentry and Shai Halevi and Mark Zhandry}, title = {Functional Encryption without Obfuscation}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2014/666}}, year = {2016} }

[Zha16a] 
How to Avoid Obfuscation Using Witness PRFs
TCC 2016A
[PDF]
[ePrint]
We propose a new cryptographic primitive called witness pseudorandom functions (witness PRFs). Witness PRFs are related to
witness encryption, but appear strictly stronger: we show that witness PRFs can be used for applications such as multiparty key
exchange without trsuted setup, polynomiallymany hardcore bits for any oneway function, and several others that were previously
only possible using obfuscation. Current candidate obfuscators are far from practical and typically rely on unnatural hardness
assumptions about multilinear maps. We give a construction of witness PRFs from multilinear maps that is simpler and much more
efficient than current obfuscation candidates, thus bringing several applications of obfuscation closer to practice. Our construction
relies on new but very natural hardness assumptions about the underlying maps that appear to be resistant to a recent line of attacks.
@inproceedings{Zha16a, author = {Mark Zhandry}, title = {How to Avoid Obfuscation Using Witness PRFs}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2014/301}}, year = {2016} }

[KZ16] 
CuttingEdge Cryptography Through the Lens of Secret Sharing
TCC 2016A
[PDF]
[ePrint]
Secret sharing is a mechanism by which a trusted dealer holding a secret "splits" a secret into many "shares" and distributes the shares to a collection
of parties. Associated with the sharing is a monotone access structure, that specifies which parties are "qualified" and which are not: any qualified subset
of parties can (efficiently) reconstruct the secret, but no unqualified subset can learn anything about the secret. In the most general form of secret sharing,
the access structure can be any monotone NP language.
In this work, we consider two very natural extensions of secret sharing. In the first, which we
call distributed secret sharing, there is no trusted dealer at all, and instead the role of the dealer is distributed amongst the parties themselves. Distributed
secret sharing can be thought of as combining the features of multiparty noninteractive key exchange and standard secret sharing, and may be useful in settings
where the secret is so sensitive that no one individual dealer can be trusted with the secret. Our second notion is called functional secret sharing, which incorporates
some of the features of functional encryption into secret sharing by providing more finegrained access to the secret. Qualified subsets of parties do not learn the
secret, but instead learn some function applied to the secret, with each set of parties potentially learning a different function.
Our main result is that both
of the extensions above are equivalent to several recent cuttingedge primitives. In particular, generalpurpose distributed secret sharing is equivalent to witness
PRFs, and generalpurpose functional secret sharing is equivalent to indistinguishability obfuscation. Thus, our work shows that it is possible to view some of the
recent developments in cryptography through a secret sharing lens, yielding new insights about both these cuttingedge primitives and secret sharing.
@inproceedings{KZ16, author = {Ilan Komargodski and Mark Zhandry}, title = {CuttingEdge Cryptography Through the Lens of Secret Sharing}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2015/735}}, year = {2016} }

[Zha15c] 
Quantum Oracle Classification: The Case of Group Structure
[PDF]
[arXiv]
The Quantum Oracle Classification (QOC) problem is to classify a function, given only quantum black box access, into one of several classes without necessarily determining
the entire function. Generally, QOC captures a very wide range of problems in quantum query complexity. However, relatively little is known about many of these problems.
In this work, we analyze the a subclass of the QOC problems where there is a group structure. That is, suppose the range of the unknown function A is a commutative group G, which
induces a commutative group law over the entire function space. Then we consider the case where A is drawn uniformly at random from some subgroup A of the function space.
Moreover, there is a homomorpism f on A, and the goal is to determine f(A). This class of problems is very general, and covers several interesting cases, such as oracle evaluation;
polynomial interpolation, evaluation, and extrapolation; and parity. These problems are important in the study of message authentication codes in the quantum setting, and may have
other applications.
We exactly characterize the quantum query complexity of every instance of QOC with group structure in terms of a particular counting problem. That is,
we provide an algorithm for this general class of problems whose success probability is determined by the solution to the counting problem, and prove its exact optimality.
Unfortunately, solving this counting problem in general is a nontrivial task, and we resort to analyzing special cases. Our bounds unify some existing results, such as the
existing oracle evaluation and parity bounds. In the case of polynomial interpolation and evaluation, our bounds give new results for secret sharing and information theoretic
message authentication codes in the quantum setting.
@misc{Zha15c, author = {Mark Zhandry}, title = {Quantum Oracle Classification: The Case of Group Structure}, misc = {Full version available at \url{http://arxiv.org/abs/1510.08352}}, year = {2015} }

[Zha15b] 
Secure IdentityBased Encryption in the Quantum Random Oracle Model
CRYPTO 2012, International Journal of Quantum Information
[PDF]
[ePrint]
[slides]
We give the first proof of security for an identitybased encryption scheme in the quantum random
oracle model. This is the first proof of security for any scheme in this model that requires no
additional assumptions. Our techniques are quite general and we use them to obtain security proofs for
two random oracle hierarchical identitybased encryption schemes and a random oracle signature scheme,
all of which have previously resisted quantum security proofs, even using additional assumptions. We also
explain how to remove the extra assumptions from prior quantum random oracle model proofs. We accomplish
these results by developing new tools for arguing that quantum algorithms cannot distinguish between two
oracle distributions. Using a particular class of oracle distributions, so called semiconstant
distributions, we argue that the aforementioned cryptosystems are secure against quantum adversaries.
@article{Zha15b, author = {Mark Zhandry}, title = {Secure IdentityBased Encryption in the Quantum Random Oracle Model}, journal = {International Journal of Quantum Information}, volume = {13}, number = {4}, misc = {Full version available at \url{http://eprint.iacr.org/2012/076}}, year = {2015} }

[Zha15a] 
A Note on the Quantum Collision and Set Equality Problems
Quantum Information and Computation
[PDF]
[arXiv]
The results showing a quantum query complexity of Θ(N^{1/3}) for the collision problem do not apply to
random functions. The issues are twofold. First, the Ω(N^{1/3}) lower bound only applies when the range
is no larger than the domain, which precludes many of the cryptographically interesting applications. Second, most of
the results in the literature only apply to rto1 functions, which are quite different from random functions.
Understanding the collision problem for random functions is of great importance to cryptography, and we seek to fill the
gaps of knowledge for this problem. To that end, we prove that, as expected, a quantum query complexity of
Θ(N^{1/3}) holds for all interesting domain and range sizes. Our proofs are simple, and combine existing
techniques with several novel tricks to obtain the desired results.
Using our techniques, we also give an optimal Ω(N^{1/3}) lower bound for the set equality problem. This new lower
bound can be used to improve the relationship between classical randomized query complexity and quantum query complexity for
socalled permutationsymmetric functions.
@article{Zha15a, author = {Mark Zhandry}, title = {A Note on the Quantum Collision and Set Equality Problems}, journal = {Quantum Information and Computation}, volume = {15}, number = {7\& 8}, misc = {Full version available at \url{http://arxiv.org/abs/1312.1027}}, year = {2015} }

[BLR^{+}15] 
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
EUROCRYPT 2015
[PDF]
[ePrint]

[SZ14] 
Obfuscating LowRank Matrix Branching Programs
[PDF]
[ePrint]
In this work, we seek to extend the capabilities of the "core obfuscator" from the work of Garg, Gentry, Halevi, Raykova, Sahai,
and Waters (FOCS 2013), and all subsequent works constructing generalpurpose obfuscators. This core obfuscator builds upon
approximate multilinear maps, and applies to matrix branching programs. All previous works, however, limited the applicability of
such core obfuscators to matrix branching programs where each matrix was of full rank. As we illustrate by example, this
limitation is quite problematic, and intuitively limits the core obfuscator to obfuscating matrix branching programs that cannot
"forget." At a technical level, this limitation arises in previous work because all previous work relies on Kilian`s statistical
simulation theorem, which is false when applied to matrices not of full rank.
In our work, we build the first core
obfuscator that can apply to matrix branching programs where matrices can be of arbitrary rank. We prove security of our
obfuscator in the generic multilinear model, demonstrating a new proof technique that bypasses Kilian`s statistical simulation
theorem. Furthermore, our obfuscator achieves two other notable advances over previous work:
• Our construction allows for nonsquare matrices of arbitrary dimensions. We also show that this flexibility yields
concrete efficiency gains.
• Our construction allows for a single obfuscation to yield multiple bits of output. All previous work yielded only one bit
of output.
Our work leads to significant efficiency gains for obfuscation. Furthermore, our work can be applied to achieve efficiency gains
even in applications not directly using obfuscation.
@misc{SZ14, author = {Amit Sahai and Mark Zhandry}, title = {Obfuscating LowRank Matrix Branching Programs}, misc = {Full version available at \url{http://eprint.iacr.org/2014/773}}, year = {2014} }
Subsumed by [BMSZ16]

[Zha14] 
Adaptively Secure Broadcast Encryption with Small System Parameters
[PDF]
[ePrint]
We build the first publickey broadcast encryption systems that simultaneously achieve adaptive security against arbitrary number
of colluders, have small system parameters, and have security proofs that do not rely on knowledge assumptions or complexity
leveraging. Our schemes are built from either composite order multilinear maps or obfuscation and enjoy a ciphertext overhead,
private key size, and public key size that are all polylogarithmic in the total number of users. Previous broadcast schemes with
similar parameters are either proven secure in a weaker static model, or rely on nonfalsifiable knowledge assumptions.
@misc{Zha14, author = {Mark Zhandry}, title = {Adaptively Secure Broadcast Encryption with Small System Parameters}, misc = {Full version available at \url{http://eprint.iacr.org/2014/757}}, year = {2014} }

[BZ14] 
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
CRYPTO 2014
[PDF]
[ePrint]
[slides]
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange,
efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting
properties that have not been achievable before:
• Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover,
the size of the published value from each user is independent of the total number of users.
• Our broadcast encryption schemes support distributed setup, where users choose their own
secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is
independent of the number of users.
• Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys,
and public key. Ciphertext size is logarithmic in the number of users and secret key size is independent
of the number of users. Our public key size is polylogarithmic in the number of users. The recent
functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor
tracing scheme with similar ciphertext and secret key size, but the construction in this paper is simpler
and more direct. These constructions resolve an open problem relating to differential privacy.
• Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast
ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext.
Several of our proofs of security introduce new tools for proving security using indistinguishability obfuscation.
@inproceedings{BZ14, author = {Dan Boneh and Mark Zhandry}, title = {Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation}, booktitle = {Proceedings of CRYPTO 2014}, misc = {Full version available at \url{http://eprint.iacr.org/2013/642}}, year = {2014} }

[BWZ14] 
Low Overhead Broadcast Encryption from Multilinear Maps
CRYPTO 2014
[PDF]
[ePrint]
[slides]
We use multilinear maps to provide a solution to the longstanding problem of publickey broadcast encryption where all
parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are
all polylogarithmic in the total number of users. The systems are fully collusionresistant against any number of colluders.
All our systems are based on an O(log N)way multilinear map to support a broadcast system for N users. We present three
constructions based on different types of multilinear maps and providing different security guarantees. Our systems naturally
give identitybased broadcast systems with short parameters.
@inproceedings{BWZ14, author = {Dan Boneh and Brent Waters and Mark Zhandry}, title = {Low Overhead Broadcast Encryption from Multilinear Maps}, booktitle = {Proceedings of CRYPTO 2014}, misc = {Full version available at \url{http://eprint.iacr.org/2014/195}}, year = {2014} }

[GGHZ14] 
Fully Secure Attribute Based Encryption from Multilinear Maps
[PDF]
[ePrint]
We construct the first fully secure attribute based encryption (ABE) scheme that can handle access control policies
expressible as polynomialsize circuits. Previous ABE schemes for general circuits were proved secure only in an unrealistic
selective security model, where the adversary is forced to specify its target before seeing the public parameters, and full
security could be obtained only by complexity leveraging, where the reduction succeeds only if correctly guesses the adversary's
target string x^*, incurring a 2^{x^*} loss factor in the tightness of the reduction.
At a very high level, our basic ABE scheme is reminiscent of Yao's garbled circuits, with 4 gadgets per gate of the circuit, but
where the decrypter in our scheme puts together the appropriate subset of gate gadgets like puzzle pieces by using a cryptographic
multilinear map to multiply the pieces together. We use a novel twist of Waters' dual encryption methodology to prove the full
security of our scheme. Most importantly, we show how to preserve the delicate informationtheoretic argument at the heart of Waters'
dual system by enfolding it in an informationtheoretic argument similar to that used in Yao's garbled circuits.
@misc{GGHZ14, author = {Sanjam Garg and Craig Gentry and Shai Halevi and Mark Zhandry}, title = {Fully Secure Attribute Based Encryption from Multilinear Maps}, misc = {Full version available at \url{http://eprint.iacr.org/2014/622}}, year = {2014} }

[ABG^{+}13] 
DifferingInputs Obfuscation and Applications
[PDF]
[ePrint]

[BZ13b] 
Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World
CRYPTO 2013
[PDF]
[ePrint]
[slides]
We initiate the study of quantumsecure digital signatures and quantum chosen ciphertext
security. In the case of signatures, we enhance the standard chosen message query model by allowing the
adversary to issue quantum chosen message queries: given a superposition of messages, the adversary
receives a superposition of signatures on those messages. Similarly, for encryption, we allow the adversary
to issue quantum chosen ciphertext queries: given a superposition of ciphertexts, the adversary
receives a superposition of their decryptions. These adversaries model a natural postquantum environment
where endusers sign messages and decrypt ciphertexts on a personal quantum computer.
We construct
classical systems that remain secure when exposed to such quantum queries. For signatures we construct two
compilers that convert classically secure signatures into signatures secure in the quantum setting and apply
these compilers to existing postquantum signatures. We also show that standard constructions such as Lamport
onetime signatures and Merkle signatures remain secure under quantum chosen message attacks, thus giving
signatures whose quantum security is based on generic assumptions. For encryption, we define security under
quantum chosen ciphertext attacks and present both publickey and symmetrickey constructions.
@inproceedings{BZ13b, author = {Dan Boneh and Mark Zhandry}, title = {Secure Signatures and Chosen Ciphertext Security in a Quantum Computing World}, booktitle = {Proceedings of CRYPTO 2013}, misc = {Full version available at \url{http://eprint.iacr.org/2013/088}}, year = {2013} }

[BZ13a] 
QuantumSecure Message Authentication Codes
EUROCRYPT 2013
[PDF]
[ePrint]
[slides]
We construct the first Message Authentication Codes (MACs) that are existentially unforgeable against
a quantum chosen message attack. These chosen message attacks model a quantum adversary's
ability to obtain the MAC on a superposition of messages of its choice. We begin by showing that a
quantum secure PRF is sufficient for constructing a quantum secure MAC, a fact that is considerably harder
to prove than its classical analogue. Next, we show that a variant of CarterWegman MACs can be proven to
be quantum secure. Unlike the classical settings, we present an attack showing that a pairwise independent
hash family is insufficient to construct a quantum secure onetime MAC, but we prove that a fourwise
independent family is sufficient for onetime security.
@inproceedings{BZ13a, author = {Dan Boneh and Mark Zhandry}, title = {QuantumSecure Message Authentication Codes}, booktitle = {Proceedings of EUROCRYPT 2013}, misc = {Full version available at \url{http://eprint.iacr.org/2012/606}}, year = {2013} }

[Zha12] 
How to Construct Quantum Random Functions
FOCS 2012
[PDF]
[ePrint]
[slides]
In the presence of a quantum adversary, there are two possible definitions of security for a
pseudorandom function. The first, which we call standardsecurity, allows the adversary to be
quantum, but requires queries to the function to be classical. The second, quantumsecurity, allows
the adversary to query the function on a quantum superposition of inputs, thereby giving the adversary
a superposition of the values of the function at many inputs at once. Existing proof techniques for
proving the security of pseudorandom functions fail when the adversary can make quantum queries. We
give the first quantumsecurity proofs for pseudorandom functions by showing that some classical
constructions of pseudorandom functions are quantumsecure. Namely, we show that the standard
constructions of pseudorandom functions from pseudorandom generators or pseudorandom synthesizers are
secure, even when the adversary can make quantum queries. We also show that a direct construction from
lattices is quantumsecure. To prove security, we develop new tools to prove the indistinguishability of
distributions under quantum queries.
In light of these positive results, one might hope that all
standardsecure pseudorandom functions are quantumsecure. To the contrary, we show a separation: under
the assumption that standardsecure pseudorandom functions exist, there are pseudorandom functions secure
against quantum adversaries making classical queries, but insecure once the adversary can make quantum queries.
@inproceedings{Zha12, author = {Mark Zhandry}, title = {How to Construct Quantum Random Functions}, booktitle = {Proceedings of FOCS 2012}, misc = {Full version available at \url{http://eprint.iacr.org/2012/182}}, year = {2012} }

[BDF^{+}11] 
Random Oracles in a Quantum World
AsiaCrypt 2011
[PDF]
[ePrint]
[slides]
The interest in postquantum cryptography — classical systems that remain secure in the presence of
a quantum adversary — has generated elegant proposals for new cryptosystems. Some of these systems are
set in the random oracle model and are proven secure relative to adversaries that have classical access to
the random oracle. We argue that to prove postquantum security one needs to prove security in the
quantumaccessible random oracle model where the adversary can query the random oracle with quantum
state.
We begin by separating the classical and quantumaccessible random oracle models by presenting
a scheme that is secure when the adversary is given classical access to the random oracle, but is insecure
when the adversary can make quantum oracle queries. We then set out to develop generic conditions under which
a classical random oracle proof implies security in the quantumaccessible random oracle model. We
introduce the concept of a historyfree reduction which is a category of classical random oracle
reductions that basically determine oracle answers independently of the history of previous queries, and we
prove that such reductions imply security in the quantum model. We then show that certain postquantum
proposals, including ones based on lattices, can be proven secure using historyfree reductions and are
therefore postquantum secure. We conclude with a rich set of open problems in this area.
@inproceedings{BDFLSZ11, author = {Dan Boneh and Özgür Dagdelen and Marc Fischlin and Anja Lehmann and Christian Schaffner and Mark Zhandry}, title = {Random Oracles in a Quantum World}, booktitle = {Proceedings of AsiaCrypt 2011}, misc = {Full version available at \url{http://eprint.iacr.org/2010/428/}}, year = {2011} }
