[BGMZ18] 
Preventing Zeroizing Attacks on GGH15
By  James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry 
TCC 2018
[PDF]
[ePrint]
The GGH15 multilinear maps have served as the foundation for a number of cuttingedge cryptographic proposals. Unfortunately, many schemes built on GGH15 have been explicitly
broken by socalled "zeroizing attacks," which exploit leakage from honest zerotest queries. The precise settings in which zeroizing attacks are possible have remained unclear.
Most notably, none of the current indistinguishability obfuscation (iO) candidates from GGH15 have any formal security guarantees against zeroizing attacks.
In this work, we demonstrate that all known zeroizing attacks on GGH15 implicitly construct algebraic relations between the results of zerotesting and the encoded plaintext
elements. We then propose a "GGH15 zeroizing model" as a new general framework which greatly generalizes known attacks.
Our second contribution is to describe a new GGH15 variant, which we formally analyze in our GGH15 zeroizing model. We then construct a new iO candidate using our multilinear
map, which we prove secure in the GGH15 zeroizing model. This implies resistance to all known zeroizing strategies. The proof relies on the Branching Program UnAnnihilatability
(BPUA) Assumption of Garg et al. [TCC 16B] (which is implied by PRFs in NC^1 secure against P/Poly) and the complexitytheoretic pBounded Speedup Hypothesis of Miles et al.
[ePrint 14] (a strengthening of the Exponential Time Hypothesis).
@inproceedings{BGMZ18, author = {James Bartusek and Jiaxin Guan and Fermi Ma and Mark Zhandry}, title = {Preventing Zeroizing Attacks on GGH15}, booktitle = {Proceedings of TCC 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2018/511}}, year = {2018} }

[MZ18] 
New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks
TCC 2018
[PDF]
[ePrint]
We devise the first weak multilinear map model for CLT13 multilinear maps (Coron et al., CRYPTO 2013) that captures all known classical polynomialtime attacks on the maps.
We then show important applications of our model. First, we show that in our model, several existing obfuscation and orderrevealing encryption schemes, when instantiated with
CLT13 maps, are secure against known attacks under a mild algebraic complexity assumption used in prior work. These are schemes that are actually being implemented for
experimentation. However, until our work, they had no rigorous justification for security.
Next, we turn to building constant degree multilinear maps on top of CLT13 for which there are no known attacks. Precisely, we prove that our scheme achieves the ideal security
notion for multilinear maps in our weak CLT13 model, under a much stronger variant of the algebraic complexity assumption used above. Our multilinear maps do not achieve the
full functionality of multilinear maps as envisioned by Boneh and Silverberg (Contemporary Mathematics, 2003), but do allow for rerandomization and for encoding arbitrary
plaintext elements.
@inproceedings{MZ18, author = {Fermi Ma and Mark Zhandry}, title = {New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks}, booktitle = {Proceedings of TCC 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2017/946}}, year = {2018} }

[BGK^{+}18] 
Multiparty NonInteractive Key Exchange and More From Isogenies on Elliptic Curves
MATHCRYPT 2018
[PDF]
[ePrint]
We describe a framework for constructing an efficient noninteractive key exchange (NIKE) protocol for n parties for any n >= 2. Our approach is based on the problem of computing
isogenies between isogenous elliptic curves, which is believed to be difficult. We do not obtain a working protocol because of a missing step that is currently an open problem.
What we need to complete our protocol is an efficient algorithm that takes as input an abelian variety presented as a product of isogenous elliptic curves, and outputs an isomorphism
invariant of the abelian variety.
Our framework builds a cryptographic invariant map, which is a new primitive closely related to a cryptographic multilinear map, but whose range does not necessarily have a group
structure. Nevertheless, we show that a cryptographic invariant map can be used to build several cryptographic primitives, including NIKE, that were previously constructed from
multilinear maps and indistinguishability obfuscation.
@inproceedings{BGKLSSTZ18, author = {Dan Boneh and Darren Glass and Daniel Krashen and Kristin Lauter and Shahed Sharif and Alice Silverberg and Mehdi Tibouchi and Mark Zhandry}, title = {Multiparty NonInteractive Key Exchange and More From Isogenies on Elliptic Curves}, booktitle = {Proceedings of MATHCRYPT 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2018/665}}, year = {2018} }

[Zha16a] 
How to Avoid Obfuscation Using Witness PRFs
TCC 2016A
[PDF]
[ePrint]
We propose a new cryptographic primitive called witness pseudorandom functions (witness PRFs). Witness PRFs are related to
witness encryption, but appear strictly stronger: we show that witness PRFs can be used for applications such as multiparty key
exchange without trsuted setup, polynomiallymany hardcore bits for any oneway function, and several others that were previously
only possible using obfuscation. Current candidate obfuscators are far from practical and typically rely on unnatural hardness
assumptions about multilinear maps. We give a construction of witness PRFs from multilinear maps that is simpler and much more
efficient than current obfuscation candidates, thus bringing several applications of obfuscation closer to practice. Our construction
relies on new but very natural hardness assumptions about the underlying maps that appear to be resistant to a recent line of attacks.
@inproceedings{Zha16a, author = {Mark Zhandry}, title = {How to Avoid Obfuscation Using Witness PRFs}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2014/301}}, year = {2016} }

[GGHZ16] 
Functional Encryption without Obfuscation
TCC 2016A
[PDF]
[ePrint]
[slides]
Previously known functional encryption (FE) schemes for general circuits relied on indistinguishability obfuscation, which in
turn either relies on an exponential number of assumptions (basically, one per circuit), or a polynomial set of assumptions, but
with an exponential loss in the security reduction. Additionally these schemes are proved in an unrealistic selective security
model, where the adversary is forced to specify its target before seeing the public parameters. For these constructions, full
security can be obtained but at the cost of an exponential loss in the security reduction.
In this work, we overcome the above limitations and realize a fully secure functional encryption scheme without using indistinguishability
obfuscation. Specifically the security of our scheme relies only on the polynomial hardness of simple assumptions on multilinear maps.
@inproceedings{GGHZ16, author = {Sanjam Garg and Craig Gentry and Shai Halevi and Mark Zhandry}, title = {Functional Encryption without Obfuscation}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2014/666}}, year = {2016} }

[BLR^{+}15] 
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
EUROCRYPT 2015
[PDF]
[ePrint]

[Zha14] 
Adaptively Secure Broadcast Encryption with Small System Parameters
[PDF]
[ePrint]
We build the first publickey broadcast encryption systems that simultaneously achieve adaptive security against arbitrary number
of colluders, have small system parameters, and have security proofs that do not rely on knowledge assumptions or complexity
leveraging. Our schemes are built from either composite order multilinear maps or obfuscation and enjoy a ciphertext overhead,
private key size, and public key size that are all polylogarithmic in the total number of users. Previous broadcast schemes with
similar parameters are either proven secure in a weaker static model, or rely on nonfalsifiable knowledge assumptions.
@misc{Zha14, author = {Mark Zhandry}, title = {Adaptively Secure Broadcast Encryption with Small System Parameters}, misc = {Full version available at \url{http://eprint.iacr.org/2014/757}}, year = {2014} }

[BWZ14] 
Low Overhead Broadcast Encryption from Multilinear Maps
CRYPTO 2014
[PDF]
[ePrint]
[slides]
We use multilinear maps to provide a solution to the longstanding problem of publickey broadcast encryption where all
parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are
all polylogarithmic in the total number of users. The systems are fully collusionresistant against any number of colluders.
All our systems are based on an O(log N)way multilinear map to support a broadcast system for N users. We present three
constructions based on different types of multilinear maps and providing different security guarantees. Our systems naturally
give identitybased broadcast systems with short parameters.
@inproceedings{BWZ14, author = {Dan Boneh and Brent Waters and Mark Zhandry}, title = {Low Overhead Broadcast Encryption from Multilinear Maps}, booktitle = {Proceedings of CRYPTO 2014}, misc = {Full version available at \url{http://eprint.iacr.org/2014/195}}, year = {2014} }

[GGHZ14] 
Fully Secure Attribute Based Encryption from Multilinear Maps
[PDF]
[ePrint]
We construct the first fully secure attribute based encryption (ABE) scheme that can handle access control policies
expressible as polynomialsize circuits. Previous ABE schemes for general circuits were proved secure only in an unrealistic
selective security model, where the adversary is forced to specify its target before seeing the public parameters, and full
security could be obtained only by complexity leveraging, where the reduction succeeds only if correctly guesses the adversary's
target string x^*, incurring a 2^{x^*} loss factor in the tightness of the reduction.
At a very high level, our basic ABE scheme is reminiscent of Yao's garbled circuits, with 4 gadgets per gate of the circuit, but
where the decrypter in our scheme puts together the appropriate subset of gate gadgets like puzzle pieces by using a cryptographic
multilinear map to multiply the pieces together. We use a novel twist of Waters' dual encryption methodology to prove the full
security of our scheme. Most importantly, we show how to preserve the delicate informationtheoretic argument at the heart of Waters'
dual system by enfolding it in an informationtheoretic argument similar to that used in Yao's garbled circuits.
@misc{GGHZ14, author = {Sanjam Garg and Craig Gentry and Shai Halevi and Mark Zhandry}, title = {Fully Secure Attribute Based Encryption from Multilinear Maps}, misc = {Full version available at \url{http://eprint.iacr.org/2014/622}}, year = {2014} }
