Encrypted Messages from the Heights of Cryptomania

How flexible can encryption be? This question motivated the invention of public key encryption that began modern cryptography. A lot has happened since then. I will focus on two lines of research that I find especially interesting (mainly the second) and the mysterious gap between them. The first line of research asks: how flexibly can encryption handle compu-tation? The answer seems to be " very flexibly ". We have fully homomorphic encryption (FHE) schemes [RAD78,Gen09,DGHV10,BV11b,GH11,BV11a] that allow a worker (non-interactively) to do arbitrary blind processing of encrypted data without obtaining access to the data. However, current FHE schemes do not handle access control flexibly; there is only one keyholder, and only it can decrypt. The second line of research asks: how flexibly can encryption handle access control? Again, the answer seems to be " very flexibly ". Building on Garg et al.'s [GGH12b] approximate multilinear maps, we now have attribute-based en-cryption (ABE) schemes for arbitrary circuits [SW12,GGH12a] that allow an encrypter (non-interactively) to embed an arbitrarily complex access policy into its ciphertext, such that only users whose keys are associated to a satisfying set of attributes can (non-interactively) decrypt. We can be even more flexible: Garg et al. [GGSW12] describe a " witness encryption " scheme where a user's decryption key is not really a key at all, but rather a witness for some arbitrary NP relation specified by the encrypter (the encrypter itself may not know a witness). However , current ABE and witness encryption schemes do not handle computation flexibly; the decrypter recovers the encrypter's message, unmodified. In between, we have concepts like obfuscation and functional encryption that attempt to handle computation and access control simultaneously – in particular, by allowing the user to learn a prescribed function only of the user's input (similar to ABE), while hiding all intermediate values of the computation (similar to FHE). Here, it seems that we finally have reached the edge of Cryptomania, as we bump against impossibility results [BGI + 01,vDJ10,BSW11,AGVW12]. However , the precise contours of the boundary between possible and impossible remain unknown. In this talk, I will focus mostly on the recent positive results in the second line of research, showing how a somewhat homomorphic variant of the NTRU encryption scheme leads quite naturally to Garg et al.'s approximate multilinear maps, and describing how to use multilinear maps to construct witness encryp-tion. Regarding obfuscation, functional encryption, and the …