[BMZ19] 
The Distinction Between Fixed and Random Generators in GroupBased Assumptions
By  James Bartusek, Fermi Ma, and Mark Zhandry 
CRYPTO 2019
[PDF]
[ePrint]
There is surprisingly little consensus on the precise role of the generator g in groupbased assumptions such as DDH. Some works
consider g to be a fixed part of the group description, while others take it to be random. We study this subtle distinction from
a number of angles.
• In the generic group model, we demonstrate the plausibility of groups in which randomgenerator DDH (resp. CDH) is hard
but fixedgenerator DDH (resp. CDH) is easy. We observe that such groups have interesting cryptographic applications.
• We find that seemingly tight generic lower bounds for the DiscreteLog and CDH problems with preprocessing (CorriganGibbs
and Kogan, Eurocrypt 2018) are not tight in the subconstant success probability regime if the generator is random. We resolve this
by proving tight lower bounds for the random generator variants; our results formalize the intuition that using a random generator
will reduce the effectiveness of preprocessing attacks.
• We observe that DDHlike assumptions in which exponents are drawn from lowentropy distributions are particularly sensitive
to the fixed vs. randomgenerator distinction. Most notably, we discover that the Strong Power DDH assumption of Komargodski and
Yogev (Komargodski and Yogev, Eurocrypt 2018) used for nonmalleable point obfuscation is in fact false precisely because it requires
a fixed generator. In response, we formulate an alternative fixedgenerator assumption that suffices for a new construction of
nonmalleable point obfuscation, and we prove the assumption holds in the generic group model. We also give a generic group proof
for the security of fixedgenerator, lowentropy DDH (Canetti, Crypto 1997).
@inproceedings{BMZ19, author = {James Bartusek and Fermi Ma and Mark Zhandry}, title = {The Distinction Between Fixed and Random Generators in GroupBased Assumptions}, booktitle = {Proceedings of CRYPTO 2019}, misc = {Full version available at \url{https://eprint.iacr.org/2019/202}}, year = {2019} }

[Zha19b] 
Quantum Lightning Never Strikes the Same State Twice
EUROCRYPT 2019 (Best Paper Award)
[PDF]
[ePrint]
[slides]
Public key quantum money can be seen as a version of the quantum nocloning theorem that holds even when the quantum states can be verified by the adversary. In this work,
investigate quantum lightning, a formalization of "collisionfree quantum money" defined by Lutomirski et al. [ICS`10], where nocloning holds even when the
adversary herself generates the quantum state to be cloned. We then study quantum money and quantum lightning, showing the following results:
• We demonstrate the usefulness of quantum lightning beyond quantum money by showing several potential applications, such as generating random strings with a proof of
entropy, to completely decentralized cryptocurrency without a blockchain, where transactions is instant and local.
• We give winwin results for quantum money/lightning, showing that either signatures/hash functions/commitment schemes meet very strong recently proposed notions of
security, or they yield quantum money or lightning. Given the difficulty in constructing public key quantum money, this gives some indication that natural schemes do attain
strong security guarantees.
• We construct quantum lightning under the assumed multicollision resistance of random degree2 systems of polynomials. Our construction is inspired by our winwin
result for hash functions, and yields the first plausible standard model instantiation of a \emph{noncollapsing} collision resistant hash function. This improves on a
result of Unruh [Eurocrypt`16] that requires a quantum oracle.
•We show that instantiating the quantum money scheme of Aaronson and Christiano [STOC`12] with indistinguishability obfuscation that is secure against quantum
computers yields a secure quantum money scheme. This construction can be seen as an instance of our winwin result for signatures, giving the first separation between two
security notions for signatures from the literature.
Thus, we provide the first constructions of public key quantum money from several cryptographic assumptions. Along the way, we develop several new techniques including a
new precise variant of the nocloning theorem.
@inproceedings{Zha19b, author = {Mark Zhandry}, title = {Quantum Lightning Never Strikes the Same State Twice}, booktitle = {Proceedings of EUROCRYPT 2019}, misc = {Full version available at \url{https://eprint.iacr.org/2017/1080}}, year = {2019} }

[BLMZ19] 
New Techniques for Obfuscating Conjunctions
EUROCRYPT 2019
[PDF]
[ePrint]
A conjunction is a function $f(x_1,\dots,x_n) = \bigwedge_{i \in S} l_i$ where $S \subseteq [n]$ and each $l_i$ is $x_i$ or $\neg x_i$.
Bishop et al. (CRYPTO 2018) recently proposed obfuscating conjunctions by embedding them in the error positions of a noisy ReedSolomon
codeword and placing the codeword in a group exponent. They prove distributional virtual black box (VBB) security in the generic group
model for random conjunctions where $S \geq 0.226n$. While conjunction obfuscation is known from LWE, these constructions rely on
substantial technical machinery.
In this work, we conduct an extensive study of simple conjunction obfuscation techniques.
• We abstract the Bishop et al. scheme to obtain an equivalent yet more efficient "dual" scheme that handles conjunctions over exponential
size alphabets. We give a significantly simpler proof of generic group security, which we combine with a novel combinatorial argument to
obtain distributional VBB security for $S$ of any size.
• If we replace the ReedSolomon code with a random binary linear code, we can prove security from standard LPN and avoid encoding
in a group. This addresses an open problem posed by Bishop et al.~to prove security of this simple approach in the standard model.
• We give a new construction that achieves information theoretic distributional VBB security and weak functionality preservation
for $S \geq n  n^\delta$ and $\delta < 1$. Assuming discrete log and $\delta < 1/2$, we satisfy a stronger notion of functionality
preservation for computationally bounded adversaries while still achieving information theoretic security.
@inproceedings{BLMZ19, author = {James Bartusek and Tancrede Lepoint and Fermi Ma and Mark Zhandry}, title = {New Techniques for Obfuscating Conjunctions}, booktitle = {Proceedings of EUROCRYPT 2019}, misc = {Full version available at \url{https://eprint.iacr.org/2018/936}}, year = {2019} }

[MZ18] 
New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks
TCC 2018
[PDF]
[ePrint]
We devise the first weak multilinear map model for CLT13 multilinear maps (Coron et al., CRYPTO 2013) that captures all known classical polynomialtime attacks on the maps.
We then show important applications of our model. First, we show that in our model, several existing obfuscation and orderrevealing encryption schemes, when instantiated with
CLT13 maps, are secure against known attacks under a mild algebraic complexity assumption used in prior work. These are schemes that are actually being implemented for
experimentation. However, until our work, they had no rigorous justification for security.
Next, we turn to building constant degree multilinear maps on top of CLT13 for which there are no known attacks. Precisely, we prove that our scheme achieves the ideal security
notion for multilinear maps in our weak CLT13 model, under a much stronger variant of the algebraic complexity assumption used above. Our multilinear maps do not achieve the
full functionality of multilinear maps as envisioned by Boneh and Silverberg (Contemporary Mathematics, 2003), but do allow for rerandomization and for encoding arbitrary
plaintext elements.
@inproceedings{MZ18, author = {Fermi Ma and Mark Zhandry}, title = {New Multilinear Maps from CLT13 with Provable Security Against Zeroizing Attacks}, booktitle = {Proceedings of TCC 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2017/946}}, year = {2018} }

[BGMZ18] 
Preventing Zeroizing Attacks on GGH15
By  James Bartusek, Jiaxin Guan, Fermi Ma, and Mark Zhandry 
TCC 2018
[PDF]
[ePrint]
The GGH15 multilinear maps have served as the foundation for a number of cuttingedge cryptographic proposals. Unfortunately, many schemes built on GGH15 have been explicitly
broken by socalled "zeroizing attacks," which exploit leakage from honest zerotest queries. The precise settings in which zeroizing attacks are possible have remained unclear.
Most notably, none of the current indistinguishability obfuscation (iO) candidates from GGH15 have any formal security guarantees against zeroizing attacks.
In this work, we demonstrate that all known zeroizing attacks on GGH15 implicitly construct algebraic relations between the results of zerotesting and the encoded plaintext
elements. We then propose a "GGH15 zeroizing model" as a new general framework which greatly generalizes known attacks.
Our second contribution is to describe a new GGH15 variant, which we formally analyze in our GGH15 zeroizing model. We then construct a new iO candidate using our multilinear
map, which we prove secure in the GGH15 zeroizing model. This implies resistance to all known zeroizing strategies. The proof relies on the Branching Program UnAnnihilatability
(BPUA) Assumption of Garg et al. [TCC 16B] (which is implied by PRFs in NC^1 secure against P/Poly) and the complexitytheoretic pBounded Speedup Hypothesis of Miles et al.
[ePrint 14] (a strengthening of the Exponential Time Hypothesis).
@inproceedings{BGMZ18, author = {James Bartusek and Jiaxin Guan and Fermi Ma and Mark Zhandry}, title = {Preventing Zeroizing Attacks on GGH15}, booktitle = {Proceedings of TCC 2018}, misc = {Full version available at \url{https://eprint.iacr.org/2018/511}}, year = {2018} }

[LZ17] 
Decomposable Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness
By  Qipeng Liu and Mark Zhandry 
TCC 2017
[PDF]
[ePrint]
There is some evidence that indistinguishability obfuscation (iO) requires either exponentially many assumptions or (sub)exponentially hard assumptions, and indeed, all
known ways of building obfuscation suffer one of these two limitations. As such, any application built from iO suffers from these limitations as well. However, for most
applications, such limitations do not appear to be inherent to the application, just the approach using iO. Indeed, several recent works have shown how to base applications
of iO instead on functional encryption (FE), which can in turn be based on the polynomial hardness of just a few assumptions. However, these constructions are quite
complicated and recycle a lot of similar techniques.
In this work, we unify the results of previous works in the form of a weakened notion of obfuscation, called Decomposable Obfuscation. We show (1) how to build decomposable obfuscation from
functional encryption, and (2) how to build a variety of applications from decomposable obfuscation, including all of the applications already known from FE. The construction in (1)
hides most of the difficult techniques in the prior work, whereas the constructions in (2) are much closer to the comparatively simple constructions from iO. As such,
decomposable obfuscation represents a convenient new platform for obtaining more applications from polynomial hardness.
@inproceedings{LZ17, author = {Qipeng Liu and Mark Zhandry}, title = {Decomposable Obfuscation: A Framework for Building Applications of Obfuscation From Polynomial Hardness}, booktitle = {Proceedings of TCC 2017}, misc = {Full version available at \url{https://eprint.iacr.org/2017/209}}, year = {2017} }

[GPSZ17] 
Breaking the SubExponential Barrier in Obfustopia
EUROCRYPT 2017
[PDF]
[ePrint]
Indistinguishability obfuscation (iO) has emerged as a surprisingly powerful notion. Almost all known cryptographic primitives can be constructed from general purpose iO and
other minimalistic assumptions such as oneway functions. The primary challenge in this direction of research is to develop novel techniques for using iO since iO by itself
offers virtually no protection to secret information in the underlying programs. When dealing with complex situations, often these techniques have to consider an exponential
number of hybrids (usually one per input) in the security proof. This results in a subexponential loss in the security reduction. Unfortunately, this scenario is becoming more
and more common and appears to be a fundamental barrier to current techniques.
In this work, we explore the possibility of getting around this subexponential loss barrier
in constructions based on iO as well as the weaker notion of functional encryption (FE). Towards this goal, we achieve the following results:
• We construct trapdoor oneway permutations from polynomiallyhard iO (and standard oneway permutations). This improves upon the recent result of Bitansky, Paneth, and
Wichs (TCC 2016) which requires iO of subexponential strength.
• We present a different construction of trapdoor oneway permutations based on standard, polynomiallysecure, publickey functional encryption. This qualitatively improves
upon our first result since FE is a weaker primitive than iO — it can be based on polynomiallyhard assumptions on multilinear maps whereas iO inherently seems to requires
assumptions of subexponential strength.
• We present a construction of universal samplers also based only on polynomiallysecure publickey FE. Universal samplers, introduced in the work of Hofheinz, Jager, Khurana,
Sahai, Waters and Zhandry (EPRINT 2014), is an appealing notion which allows a single trusted setup for any protocol. As an application of this result, we construct a noninteractive
multiparty key exchange (NIKE) protocol for an unbounded number of users without a trusted setup. Prior to this work, such constructions were only known from indistinguishability
obfuscation.
In obtaining our results, we build upon and significantly extend the techniques of Garg, Pandey, and Srinivasan (EPRINT 2015) introduced in the context of reducing PPADhardness
to polynomiallysecure iO and FE.
@inproceedings{GPSZ17, author = {Sanjam Garg and Omkant Pandey and Akshayaram Srinivasan and Mark Zhandry}, title = {Breaking the SubExponential Barrier in Obfustopia}, booktitle = {Proceedings of EUROCRYPT 2017}, misc = {Full version available at \url{https://eprint.iacr.org/2016/102}}, year = {2017} }

[MZ17] 
Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption
[PDF]
[ePrint]
We define the concept of an encryptor combiner. Roughly, such a combiner takes as input n public keys for a public key encryption scheme, and produces a new combined
public key. Anyone knowing a secret key for one of the input public keys can learn the secret key for the combined public key, but an outsider who just knows the input
public keys (who can therefore compute the combined public key for himself) cannot decrypt ciphertexts from the combined public key. We actually think of public keys
more generally as encryption procedures, which can correspond to, say, encrypting to a particular identity under an IBE scheme or encrypting to a set of attributes
under an ABE scheme.
We show that encryptor combiners satisfying certain natural properties can give natural constructions of multiparty noninteractive key exchange, lowoverhead
broadcast encryption, and hierarchical identitybased encryption. We then show how to construct two different encryptor combiners. Our first is built from universal
samplers (which can in turn be built from indistinguishability obfuscation) and is sufficient for each application above, in some cases improving on existing
obfuscationbased constructions. Our second is built from lattices, and is sufficient for hierarchical identitybased encryption. Thus, encryptor combiners
serve as a new abstraction that (1) is a useful tool for designing cryptosystems, (2) unifies constructing hierarchical IBE from vastly different assumptions,
and (3) provides a target for instantiating obfuscation applications from better tools.
@misc{MZ17, author = {Fermi Ma and Mark Zhandry}, title = {Encryptor Combiners: A Unified Approach to Multiparty NIKE, (H)IBE, and Broadcast Encryption}, misc = {Full version available at \url{https://eprint.iacr.org/2017/152}}, year = {2017} }

[HJK^{+}16] 
How to Generate and use Universal Samplers
AsiaCrypt 2016
[PDF]
[ePrint]
The random oracle is an idealization that allows to model a hash function as an oracle that will output a uniformly random
string given an input. We introduce the notion of universal sampler scheme as a method sampling securely from
arbitrary distributions.
We first motivate such a notion by describing several applications including generating
the trusted parameters for many schemes from just a single trusted setup. We further demonstrate the versatility of universal
sampler by showing how they give rise to applications such as identitybased encryption and multiparty key exchange.
We give a solution in the random oracle model based on indistinguishability obfuscation. At the heart of our construction and
proof is a new technique we call "delayed backdoor programming".
@inproceedings{HJKSWZ16, author = {Dennis Hofheinz and Tibor Jager and Dakshita Khurana and Amit Sahai and Brent Waters and Mark Zhandry}, title = {How to Generate and use Universal Samplers}, booktitle = {Proceedings of AsiaCrypt 2016}, misc = {Full version available at \url{http://eprint.iacr.org/2014/507}}, year = {2016} }

[KMUZ16] 
Strong Hardness of Privacy from Weak Traitor Tracing
TCC 2016B
[PDF]
[ePrint]
Despite much study, the computational complexity of differential privacy remains poorly understood. In this paper we consider the computational complexity of
accurately answering a family Q of statistical queries over a data universe X under differential privacy. A statistical query
on a dataset D∈X^{n} asks "what fraction of the elements of D satisfy a given predicate p on X?" Dwork et al. (STOC`09) and Boneh and Zhandry
(CRYPTO`14) showed that if both Q and X are of polynomial size, then there is an efficient differentially private algorithm that accurately answers all the
queries, and if both Q and X are exponential size, then under a plausible assumption, no efficient algorithm exists.
We show that, under the same assumption, if either the number of queries or the data universe is of exponential size, then there is no
differentially private algorithm that answers all the queries. Specifically, we prove that if oneway functions and indistinguishability obfuscation exist, then:
• For every n, there is a family Q of O(n^{7}) queries on a data universe X of size 2^{d} such that no poly(n,d) time differentially private
algorithm takes a dataset D∈X^{n} and outputs accurate answers to every query in Q.
•For every n, there is a family Q of 2^{d} queries on a data universe X of size O(n^{7}) such that no poly(n,d) time differentially private
algorithm takes a dataset D∈X^{n} and outputs accurate answers to every query in Q.
In both cases, the result is nearly quantitatively tight, since there is an efficient differentially private algorithm that answers Ω(n^{2}) queries
on an exponential size data universe, and one that answers exponentially many queries on a data universe of size Ω(n^{2}).
Our proofs build on the connection between hardness results in differential privacy and traitortracing schemes (Dwork et al., STOC`09; Ullman, STOC`13).
We prove our hardness result for a polynomial size query set (resp., data universe) by showing that they follow from the existence of a special type of
traitortracing scheme with very short ciphertexts (resp., secret keys), but very weak security guarantees, and then constructing such a scheme.
@inproceedings{KMUZ16, author = {Lucas Kowalczyk and Tal Malkin and Jonathan Ullman and Mark Zhandry}, title = {Strong Hardness of Privacy from Weak Traitor Tracing}, booktitle = {Proceedings of TCC 2016B}, misc = {Full version available at \url{https://eprint.iacr.org/2016/721}}, year = {2016} }

[GMM^{+}16] 
Secure Obfuscation in a Weak Multilinear Map Model
TCC 2016B
[PDF]
[ePrint]
All known candidate indistinguishibility obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security
available for iO candidates were in a generic model that only allows "honest" use of the multilinear map. Most notably, in this model the zerotest procedure
only reveals whether an encoded element is 0, and nothing more.
However, this model is inadequate: there have been several attacks on multilinear maps
that exploit extra information revealed by the zerotest procedure. In particular, Miles, Sahai and Zhandry [Crypto`16] recently gave a polynomialtime attack
on several iO candidates when instantiated with the multilinear maps of Garg, Gentry, and Halevi [Eurocrypt`13], and also proposed a new "weak multilinear map
model" that captures all known polynomialtime attacks on GGH13.
In this work, we give a new iO candidate which can be seen as a small modification or
generalization of the original candidate of Garg, Gentry, Halevi, Raykova, Sahai, and Waters [FOCS`13]. We prove its security in the weak multilinear map model,
thus giving the first iO candidate that is provably secure against all known polynomialtime attacks on GGH13. The proof of security relies on a new assumption
about the hardness of computing annihilating polynomials, and we show that this assumption is implied by the existence of pseudorandom functions in NC^1.
@inproceedings{GMMSSZ16, author = {Sanjam Garg and Eric Miles and Pratyay Mukherjee and Amit Sahai and Akshayaram Srinivasan and Mark Zhandry}, title = {Secure Obfuscation in a Weak Multilinear Map Model}, booktitle = {Proceedings of TCC 2016B}, misc = {Full version available at \url{https://eprint.iacr.org/2016/817}}, year = {2016} }
Merged version of [BMS16] and [MSZ16]

[Zha16b] 
The Magic of ELFs
CRYPTO 2016 (Best Young Researcher Award)
[PDF]
[ePrint]
[slides]
We introduce the notion of an Extremely Lossy Function (ELF). An ELF is a family of functions with an image size that is tunable anywhere from injective to having a
polynomialsized image. Moreover, for any efficient adversary, for a sufficiently large polynomial r (necessarily chosen to be larger than the running time of the adversary),
the adversary cannot distinguish the injective case from the case of image size r.
We develop a handful of techniques for using ELFs, and show that such extreme lossiness is useful for instantiating random oracles in several settings. In particular, we show
how to use ELFs to build secure point function obfuscation with auxiliary input, as well as polynomiallymany hardcore bits for any oneway function. Such applications were
previously known from strong knowledge assumptions — for example polynomiallymany hardcore bits were only know from differing inputs obfuscation, a notion whose
plausibility has been seriously challenged. We also use ELFs to build a simple hash function with output intractability, a new notion we define that may be useful for
generating common reference strings.
Next, we give a construction of ELFs relying on the exponential hardness of the decisional DiffieHellman problem, which is plausible in elliptic curve groups. Combining
with the applications above, our work gives several practical constructions relying on qualitatively different — and arguably better — assumptions than prior works.
@inproceedings{Zha16b, author = {Mark Zhandry}, title = {The Magic of ELFs}, booktitle = {Proceedings of CRYPTO 2016}, misc = {Full version available at \url{https://eprint.iacr.org/2016/114}}, year = {2016} }

[MSZ16b] 
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
CRYPTO 2016
[PDF]
[ePrint]

[MSZ16a] 
Secure Obfuscation in a Weak Multilinear Map Model: A Simple Construction Secure Against All Known Attacks
[PDF]
[ePrint]
All known candidate indistinguishibility obfuscation (iO) schemes rely on candidate multilinear maps. Until recently, the strongest proofs of security available
for iO candidates were in a generic model that only allows "honest" use of the multilinear map. Most notably, in this model the zerotest procedure only reveals
whether an encoded element is 0, and nothing more.
However, this model is inadequate: there have been several attacks on multilinear maps that exploit extra information revealed by the zerotest procedure. In
particular, the authors [Crypto`16] recently gave a polynomialtime attack on several iO candidates when instantiated with the multilinear maps of Garg, Gentry,
and Halevi [Eurocrypt`13], and also proposed a new "weak multilinear map model" that captures all known polynomialtime attacks on GGH13.
Subsequent to those attacks, Garg, Mukherjee, and Srinivasan [ePrint`16] gave a beautiful new candidate iO construction, using a new variant of the GGH13
multilinear map candidate, and proved its security in the weak multilinear map model assuming an explicit PRF in NC^1.
In this work, we give a simpler candidate iO construction, which can be seen as a small modification or generalization of the original iO candidate of Garg,
Gentry, Halevi, Raykova, Sahai, and Waters [FOCS`13], and we prove its security in the weak multilinear map model. Our work has a number of benefits over
that of GMS16.
• Our construction and analysis are simpler. In particular, the proof of our security theorem is 4 pages, versus 15 pages in GMS16.
• We do not require any change to the original GGH13 multilinear map candidate.
• We prove the security of our candidate under a more general assumption. One way that our assumption can be true is if there exists a PRF in NC^1.
• GMS16 required an explicit PRF in NC^1 to be "hardwired" into their obfuscation candidate. In contrast, our scheme does not require any such hardwiring.
In fact, roughly speaking, our obfuscation candidate will depend only on the minimal size of such a PRF, and not on any other details of the PRF.
@misc{MSZ16a, author = {Eric Miles and Amit Sahai and Mark Zhandry}, title = {Secure Obfuscation in a Weak Multilinear Map Model: A Simple Construction Secure Against All Known Attacks}, misc = {Full version available at \url{https://eprint.iacr.org/2016/588}}, year = {2016} }

[BMSZ16] 
PostZeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits
EUROCRYPT 2016
[PDF]
[ePrint]
[slides]
Recent devastating attacks by Cheon et al.~[Eurocrypt`15] and others have highlighted significant gaps in our intuition about security in candidate
multilinear map schemes, and in candidate obfuscators that use them. The new attacks, and some that were previously known, are typically called
"zeroizing" attacks because they all crucially rely on the ability of the adversary to create encodings of 0.
In this work, we initiate the study of postzeroizing obfuscation, and we present a construction for the special case of evasive functions. We
show that our obfuscator survives all known attacks on the underlying multilinear maps, by proving that no encodings of 0 can be created by
a genericmodel adversary. Previous obfuscators (for both evasive and general functions) were either analyzed in a lessconservative "prezeroizing"
model that does not capture recent attacks, or were proved secure relative to assumptions that are now known to be false.
To prove security, we introduce a new technique for analyzing polynomials over multilinear map encodings. This technique shows that the types of
encodings an adversary can create are much more restricted than was previously known, and is a crucial step toward achieving postzeroizing security.
We also believe the technique is of independent interest, as it yields efficiency improvements for existing schemes.
@inproceedings{BMSZ16, author = {Saikrishna Badrinarayanan and Eric Miles and Amit Sahai and Mark Zhandry}, title = {PostZeroizing Obfuscation: New Mathematical Tools, and the Case of Evasive Circuits}, booktitle = {Proceedings of EUROCRYPT 2016}, misc = {Full version available at \url{http://eprint.iacr.org/2015/167}}, year = {2016} }

[NWZ16] 
Anonymous Traitor Tracing: How to Embed Arbitrary Information in a Key
EUROCRYPT 2016
[PDF]
[ePrint]

[KZ16] 
CuttingEdge Cryptography Through the Lens of Secret Sharing
TCC 2016A
[PDF]
[ePrint]
Secret sharing is a mechanism by which a trusted dealer holding a secret "splits" a secret into many "shares" and distributes the shares to a collection
of parties. Associated with the sharing is a monotone access structure, that specifies which parties are "qualified" and which are not: any qualified subset
of parties can (efficiently) reconstruct the secret, but no unqualified subset can learn anything about the secret. In the most general form of secret sharing,
the access structure can be any monotone NP language.
In this work, we consider two very natural extensions of secret sharing. In the first, which we
call distributed secret sharing, there is no trusted dealer at all, and instead the role of the dealer is distributed amongst the parties themselves. Distributed
secret sharing can be thought of as combining the features of multiparty noninteractive key exchange and standard secret sharing, and may be useful in settings
where the secret is so sensitive that no one individual dealer can be trusted with the secret. Our second notion is called functional secret sharing, which incorporates
some of the features of functional encryption into secret sharing by providing more finegrained access to the secret. Qualified subsets of parties do not learn the
secret, but instead learn some function applied to the secret, with each set of parties potentially learning a different function.
Our main result is that both
of the extensions above are equivalent to several recent cuttingedge primitives. In particular, generalpurpose distributed secret sharing is equivalent to witness
PRFs, and generalpurpose functional secret sharing is equivalent to indistinguishability obfuscation. Thus, our work shows that it is possible to view some of the
recent developments in cryptography through a secret sharing lens, yielding new insights about both these cuttingedge primitives and secret sharing.
@inproceedings{KZ16, author = {Ilan Komargodski and Mark Zhandry}, title = {CuttingEdge Cryptography Through the Lens of Secret Sharing}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2015/735}}, year = {2016} }

[Zha16a] 
How to Avoid Obfuscation Using Witness PRFs
TCC 2016A
[PDF]
[ePrint]
We propose a new cryptographic primitive called witness pseudorandom functions (witness PRFs). Witness PRFs are related to
witness encryption, but appear strictly stronger: we show that witness PRFs can be used for applications such as multiparty key
exchange without trsuted setup, polynomiallymany hardcore bits for any oneway function, and several others that were previously
only possible using obfuscation. Current candidate obfuscators are far from practical and typically rely on unnatural hardness
assumptions about multilinear maps. We give a construction of witness PRFs from multilinear maps that is simpler and much more
efficient than current obfuscation candidates, thus bringing several applications of obfuscation closer to practice. Our construction
relies on new but very natural hardness assumptions about the underlying maps that appear to be resistant to a recent line of attacks.
@inproceedings{Zha16a, author = {Mark Zhandry}, title = {How to Avoid Obfuscation Using Witness PRFs}, booktitle = {Proceedings of TCC 2016A}, misc = {Full version available at \url{http://eprint.iacr.org/2014/301}}, year = {2016} }

[BLR^{+}15] 
Semantically Secure OrderRevealing Encryption: MultiInput Functional Encryption Without Obfuscation
EUROCRYPT 2015
[PDF]
[ePrint]

[SZ14] 
Obfuscating LowRank Matrix Branching Programs
[PDF]
[ePrint]
In this work, we seek to extend the capabilities of the "core obfuscator" from the work of Garg, Gentry, Halevi, Raykova, Sahai,
and Waters (FOCS 2013), and all subsequent works constructing generalpurpose obfuscators. This core obfuscator builds upon
approximate multilinear maps, and applies to matrix branching programs. All previous works, however, limited the applicability of
such core obfuscators to matrix branching programs where each matrix was of full rank. As we illustrate by example, this
limitation is quite problematic, and intuitively limits the core obfuscator to obfuscating matrix branching programs that cannot
"forget." At a technical level, this limitation arises in previous work because all previous work relies on Kilian`s statistical
simulation theorem, which is false when applied to matrices not of full rank.
In our work, we build the first core
obfuscator that can apply to matrix branching programs where matrices can be of arbitrary rank. We prove security of our
obfuscator in the generic multilinear model, demonstrating a new proof technique that bypasses Kilian`s statistical simulation
theorem. Furthermore, our obfuscator achieves two other notable advances over previous work:
• Our construction allows for nonsquare matrices of arbitrary dimensions. We also show that this flexibility yields
concrete efficiency gains.
• Our construction allows for a single obfuscation to yield multiple bits of output. All previous work yielded only one bit
of output.
Our work leads to significant efficiency gains for obfuscation. Furthermore, our work can be applied to achieve efficiency gains
even in applications not directly using obfuscation.
@misc{SZ14, author = {Amit Sahai and Mark Zhandry}, title = {Obfuscating LowRank Matrix Branching Programs}, misc = {Full version available at \url{http://eprint.iacr.org/2014/773}}, year = {2014} }
Subsumed by [BMSZ16]

[Zha14] 
Adaptively Secure Broadcast Encryption with Small System Parameters
[PDF]
[ePrint]
We build the first publickey broadcast encryption systems that simultaneously achieve adaptive security against arbitrary number
of colluders, have small system parameters, and have security proofs that do not rely on knowledge assumptions or complexity
leveraging. Our schemes are built from either composite order multilinear maps or obfuscation and enjoy a ciphertext overhead,
private key size, and public key size that are all polylogarithmic in the total number of users. Previous broadcast schemes with
similar parameters are either proven secure in a weaker static model, or rely on nonfalsifiable knowledge assumptions.
@misc{Zha14, author = {Mark Zhandry}, title = {Adaptively Secure Broadcast Encryption with Small System Parameters}, misc = {Full version available at \url{http://eprint.iacr.org/2014/757}}, year = {2014} }

[BZ14] 
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
CRYPTO 2014
[PDF]
[ePrint]
[slides]
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange,
efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting
properties that have not been achievable before:
• Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover,
the size of the published value from each user is independent of the total number of users.
• Our broadcast encryption schemes support distributed setup, where users choose their own
secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is
independent of the number of users.
• Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys,
and public key. Ciphertext size is logarithmic in the number of users and secret key size is independent
of the number of users. Our public key size is polylogarithmic in the number of users. The recent
functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor
tracing scheme with similar ciphertext and secret key size, but the construction in this paper is simpler
and more direct. These constructions resolve an open problem relating to differential privacy.
• Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast
ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext.
Several of our proofs of security introduce new tools for proving security using indistinguishability obfuscation.
@inproceedings{BZ14, author = {Dan Boneh and Mark Zhandry}, title = {Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation}, booktitle = {Proceedings of CRYPTO 2014}, misc = {Full version available at \url{http://eprint.iacr.org/2013/642}}, year = {2014} }

[ABG^{+}13] 
DifferingInputs Obfuscation and Applications
[PDF]
[ePrint]
